Symantec told customers Thursday not to use pcAnywhere until the company can secure the PC remote control software following the theft of its underlying code by hacker collective Anonymous.
Symantec issued the warning after completing an analysis of the source code taken by an Indian chapter of Anonymous from an unidentified third party. Samples of the code were given to Infosec Island, an online community of security professionals that handed the code to Symantec, the vendor reported about two weeks ago.
Symantec found that the code came from 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks and pcAnywhere. Only the latter software contained vulnerabilities exposed as a result of the theft.
"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," Symantec said in the advisory.
PcAnywhere enables someone to remotely manage another computer. The discovered vulnerabilities affect the latest and older versions of the software, which was also bundled with other Symantec products, including Altiris Client Management Suite, Altiris IT Management Suite and Altiris Deployment Solution with Remote v7.1. The vendor advised customers to disable the pcAnywhere components.
Symantec found that the encoding and encryption elements of pcAnywhere are vulnerable to a cybercriminal launching a man-in-the-middle attack, which involves a hacker intercepting data moving between computers. If the hacker was able to steal the cryptographic key while eavesdropping, he could use it to access the computers and steal data. If the key was also used with Microsoft Active Directory credentials, then a cybercriminal could gain access to other computers on a network, Symantec said.
Darrel Bowman, chief executive of Tacoma, Wash.-based reseller mynetwork.com, said in his 25 years of selling Symantec products, he could "count on one hand" the number of businesses that bought pcAnywhere. "It's of minimal concern from our perspective," he said.
Bowman didn't believe Symantec's reputation would be tarnished by the theft, given how the vendor has openly acknowledge the problem and has published an advisory in a reasonable amount of time. "Security isn't perfect, and your reputation is how you react (to a breach)," he said. "In my opinion, this is a great way to react. You need to go out there and tell people."
When the code theft was first reported, Symantec played down the potential problems. "It would be very difficult to do anything with (the code), because it is so old," Symantec spokesman Cris Paden had said.
Experts have warned for years that security software, like any other application, contains vulnerabilities. In a 2008 Black Hat conference presentation, Feng Xue, technical lead for security vendor Nevis Networks, said data taken from the U.S. national vulnerability database showed that 165 vulnerabilities in AV software had been reported from 2004 to 2007.