Major Symantec breach highlights risks of running old software

Update 31-Jan: After releasing a pair of patches, Symantec says it's safe to use the latest version of its software. Details here.

PCAnywhere was ancient in June 1996, when Symantec shipped pcAnywhere 7.5 for Windows 95 and Windows NT Workstation 4.0. That's the oldest press release I can find online, and it's introducing version 7.5. The product already had seven releases at the dawn of the Windows era. And the software industry didn't run at Internet speed back then.

People are still using versions even older than that. I am pretty sure the MS-DOS version of the remote-access program goes back to the late 1980s. And yet I found a support request on Symantec's forums from May 2010—less than two years ago—from someone who needed to connect to a computer running MS-DOS 6.22 and PC Anywhere 5.0 for DOS.

This was well into the 21st Century.

pcAnywhere version 12.0 shipped in 2006. It's had incremental releases since then, but Symantec hasn't found any of those events important enough to issue a press release.

Let's paint this picture in stark black and white: This is a six-year-old software program, built on decades of legacy code written in pre-Internet days, that is now in maintenance mode. Or, if you prefer, on life support.

And now Symantec is urging its users to pull the plug, at least temporarily. The company revealed the gory details this morning not in a press release, but in a 10-page white paper (PDF):

Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

I wouldn't be worried about those antivirus and security programs. They have been regularly updated and heavily rearchitected since 2006, with significant upgrades every year. But pcAnywhere has been in maintenance mode, a forgotten product.

Symantec says fewer than 50,000 people are still using pcAnywhere. And now the company says, in no uncertain terms, they should stop:

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein. [emphasis added]

I am not sure I have ever heard of a company advising its customers to stop using a product completely because it was too dangerous. But apparently the risk with pcAnywhere is so great that this is the only sane option.

There are many, many modern alternatives to allow secure external access to your business network or your home PC. If you've been hanging on to pcAnywhere, you're now officially out of excuses to switch.

Update: Reached for comment, a Symantec spokesperson replied vie e-mail with a statement that repeated, almost word for word, the advice contained in the white-paper advisory. The spokesperson also referred customers to a Symantec site that hosts information on the breach:

Claims by Anonymous about Symantec Source Code

Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product. pcAnywhere is also bundled with numerous Symantec products. The full standalone product is bundled in a number of Altiris based solutions. A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products.

Symantec recommends that customers follow general security best practices, as well as configuring pcAnywhere in a way that minimizes potential risks. Symantec also recommends that customers only use pcAnywhere for business critical purposes.

If you're an IT professional or manager who is using this program in a "business critical" situation, I hope you feel right now like your hair is on fire.

On Monday, January 23, 2012, Symantec released a patch that eliminates three known vulnerabilities affecting customers using pcAnywhere 12.5 running on Windows. Additional patches are planned for release during the week of January 23 for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5. Symantec will continue to issue patches as needed until a new version of pcAnywhere that addresses all currently known vulnerabilities is released.

 The post does not contain any guidance on when that update can be expected, nor does it contradict the recommendation to stop using pcAnywhere at this time.