Major Symantec breach highlights risks of running old software

Major Symantec breach highlights risks of running old software

Summary: Symantec says it has fewer than 50,000 users of pcAnywhere, a remote-access program that has been around for decades. It now says, for safety's sake, those users should pull the plug. Immediately.

SHARE:
TOPICS: Software, Security
32

Update 31-Jan: After releasing a pair of patches, Symantec says it's safe to use the latest version of its software. Details here.

PCAnywhere was ancient in June 1996, when Symantec shipped pcAnywhere 7.5 for Windows 95 and Windows NT Workstation 4.0. That's the oldest press release I can find online, and it's introducing version 7.5. The product already had seven releases at the dawn of the Windows era. And the software industry didn't run at Internet speed back then.

People are still using versions even older than that. I am pretty sure the MS-DOS version of the remote-access program goes back to the late 1980s. And yet I found a support request on Symantec's forums from May 2010—less than two years ago—from someone who needed to connect to a computer running MS-DOS 6.22 and PC Anywhere 5.0 for DOS.

This was well into the 21st Century.

pcAnywhere version 12.0 shipped in 2006. It's had incremental releases since then, but Symantec hasn't found any of those events important enough to issue a press release.

Let's paint this picture in stark black and white: This is a six-year-old software program, built on decades of legacy code written in pre-Internet days, that is now in maintenance mode. Or, if you prefer, on life support.

And now Symantec is urging its users to pull the plug, at least temporarily. The company revealed the gory details this morning not in a press release, but in a 10-page white paper (PDF):

Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

I wouldn't be worried about those antivirus and security programs. They have been regularly updated and heavily rearchitected since 2006, with significant upgrades every year. But pcAnywhere has been in maintenance mode, a forgotten product.

Symantec says fewer than 50,000 people are still using pcAnywhere. And now the company says, in no uncertain terms, they should stop:

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein. [emphasis added]

I am not sure I have ever heard of a company advising its customers to stop using a product completely because it was too dangerous. But apparently the risk with pcAnywhere is so great that this is the only sane option.

There are many, many modern alternatives to allow secure external access to your business network or your home PC. If you've been hanging on to pcAnywhere, you're now officially out of excuses to switch.

Update: Reached for comment, a Symantec spokesperson replied vie e-mail with a statement that repeated, almost word for word, the advice contained in the white-paper advisory. The spokesperson also referred customers to a Symantec site that hosts information on the breach:

Claims by Anonymous about Symantec Source Code

Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product. pcAnywhere is also bundled with numerous Symantec products. The full standalone product is bundled in a number of Altiris based solutions. A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products.

Symantec recommends that customers follow general security best practices, as well as configuring pcAnywhere in a way that minimizes potential risks. Symantec also recommends that customers only use pcAnywhere for business critical purposes.

If you're an IT professional or manager who is using this program in a "business critical" situation, I hope you feel right now like your hair is on fire.

Update 26-Jan: Some updates are now available, according to this Symantec support page: Important Information on pcAnywhere:

On Monday, January 23, 2012, Symantec released a patch that eliminates three known vulnerabilities affecting customers using pcAnywhere 12.5 running on Windows. Additional patches are planned for release during the week of January 23 for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5. Symantec will continue to issue patches as needed until a new version of pcAnywhere that addresses all currently known vulnerabilities is released.

 The post does not contain any guidance on when that update can be expected, nor does it contradict the recommendation to stop using pcAnywhere at this time.

Topics: Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • RE: Major Symantec breach highlights risks of running old software

    Not sure I believe it. At my workplace we have 10 people using PcAnywhere. But we use it in conjunction with our firewall and dyndns which prevents any hacking besides some crazy level of mind-reading IP spoofing, which is highly unlikely.

    There's got to be more installs out there than that.
    wendellgee2
    • RE: Major Symantec breach highlights risks of running old software

      @wendellgee@... I bet it's higher than that too. So many businesses hang on to software that when out of support years/decades ago.
      bradavon
    • RE: Major Symantec breach highlights risks of running old software

      @wendellgee@... Incidentally Symantec still let you buy PcAnywhere 12.5. If it's so insecure why allow you to buy it?
      bradavon
  • Wow, I had no idea...

    ...that many people still used pcAnywhere. I dumped it years ago, and the one time I've come across it in the past decade, I insisted they use an alternate program. There's just no excuse in it what with Remote Desktop and Citrix solutions available.
    GoodThings2Life
    • It's included in some current products

      @GoodThings2Life

      pcAnywhere technology is included in some current Symantec products, including Altiris management tools.
      Ed Bott
    • RE: Major Symantec breach highlights risks of running old software

      @GoodThings2Life

      I have used pcAnywhere 10.5, 11.0, 12.5 with clients in the past, for its combination of features and not just to access a machine remotely. In my own lab network I am running all these versions and they work well together.

      But to start with, accessing a remote machine with PCA shows the actual user Desktop and what the user is doing - great for debugging in customer support. Correct me but I believe RDP provides a virtual environment and not a connection to the Desktop. I suppose I could use VNC or other similar products if it was just remote access.

      I use PCA for opening a chat channel to a client to keep them updated in realtime on progress of a task, say rolling out MRP (Manufacturing Resource Planning) server and client software to their network, and of course, I am connected to each node remotely via PCA doing the actual install as well.

      I have found that some software installations will not work properly if I am connected via RDP but work fine with PCA - depends on the software application.

      I have found that connecting to a client's terminal server via RDP and then connecting to internal nodes via PCA works 99% of the time, assuming I have installed PCA on the terminal server for internal network operations.

      I use the PCA whiteboard (v12 +) to communicate ideas visually to the client while adding audio commentary on the phone.

      When connecting to a remote node, I use both PCA authentication feature and Windows login - double-login, if you will, for the added security.

      Finally, I use PCA as a crude Network Management Station (NMS) through the Quick Connect panel. If PCA on each machine is configured to work with the default ports (5631 Data, 5632 Status) then PCA will poll the network for all machines running PCA via port 5632 and display them in the Quick Connect panel. If I do not see a particular host then I know something has happened to that node. In essence, PCA is giving me node up/down status.

      I have not had a chance to check out other remote access applications to see if they bundle all these features together. Maybe a topic for ZDNET to visit and write about in the future.

      Ion
      ion_tichy
  • RE: Major Symantec breach highlights risks of running old software

    So glad I'm not a Symantec customer...
    The one and only, Cylon Centurion
  • RE: Major Symantec breach highlights risks of running old software

    Software old or new is a risk, the only way to stay completely safe is never use a computer.
    Alan Smithie
    • RE: Major Symantec breach highlights risks of running old software

      @Alan Smithie

      Wrong. You are MUCH MUCH MUCH more likely to have a bad thing happen if you are running software that is in 'maintenance mode' and is not sold anymore nor updated.
      Lerianis10
      • Amuse the world then

        Provide support for your (and Bott's assertion) that old = insecure.

        Do you know anything about the metrics for flaws per application? Per line of code? Anything? This is just another bollocks blog.
        ego.sum.stig
  • RE: Major Symantec breach highlights risks of running old software

    I can't help but wonder if this will be Windows XP in a few years.
    The one and only, Cylon Centurion
    • I had the same thought

      @Cylon Centurion

      Microsoft will stop updating XP in April 2014. Anyone who uses it on a network after that date is a fool.
      Ed Bott
      • RE: Major Symantec breach highlights risks of running old software

        @Ed Bott
        Sometimes I am amazed with the comments you make. ???Anyone who uses it on a network after that date is a fool??? Did it ever occurred to you that people simply cannot afford to buy new software and or hardware for that matter??? Did it ever occurred to you to put the blame on the software companies themselves for selling the consumer half baked software????? Or how about blame Symantec the security company of not being able to secure their own software and websites? Let us do the easy thing. Blame the consumer.
        ITguypeoria
      • RE: Major Symantec breach highlights risks of running old software

        @ITguepeoria

        Not being able to afford stable and secure software is a stupid argument since Linux is free. Anyone that has older hardware who cannot afford to update should have switched to Linux anyway since it breathes new life into stuff that would likely have been thrown away.
        jrockefeller1
      • RE: Major Symantec breach highlights risks of running old software

        @Ed Bott <br><br>There are a few cases where I can see an XP box still sitting around the Intranet somewhere, but anyone still running XP boxes with a connection to the Internet at large, yes, I agree. That goes for any outdated software.

        @ITguypeoria

        After nearly 20 years, there is no excuse for not having an upgrade budget for software like pcAnywhere. Even for operating systems such as Windows 2000 or XP that have had 10+ years on the market. There comes a point where falling behind like that becomes detrimental to a business at large, that not upgrading does more harm than actually biting the bullet to upgrade. After all, once your customers move forward, they're going to need the services that can keep up with them.
        The one and only, Cylon Centurion
      • RE: Major Symantec breach highlights risks of running old software

        @Ed Bott: No, sorry, Ed. We still have machines running 98SE where I work and they are on the network. The only way an XP machine would be a problem on a network is if it is either A, the gateway to the internet or B, is left exposed to the public with no UAC controls where someone can casually install software. But, then, gee, that's not going to change even when we're up to Windows 3K. After all, security does not just exist in the ether(net), but out in the real world too, and I don't see software users can plug into their heads to prevent Social Engineering attacks.
        RyuDarragh
      • RE: Major Symantec breach highlights risks of running old software

        @ ITguypeoria: XP has been on the market for a decade. Companies have long got their moneys worth from it and to expect decade old software to be anything but half baked (when compared to modern software) is plain stupidity.
        bradavon
      • So, what becomes of the assertion that XP was totally secure?

        Of course the rider was that you just had to spend a moment at setup locking it all down.

        Well? Or are you now asserting that XP is about as secure as being mistaken for a Millwall fan in the Hammer's section? And if so, why all the lies about how secure it was over the years?
        ego.sum.stig
      • RE: Major Symantec breach highlights risks of running old software

        @Ed Bott I agree with you 100%. Anyone still running XP after this date is just asking for trouble. @ITguypeoria you can't blame Microsoft for this. They have given lots of notice re:XP. A software company can only support an old OS for so long.
        murving
      • RE: Major Symantec breach highlights risks of running old software

        @Ed Bott

        Agreed. The way I understand it, with the number of XP boxes that might be still online after April, 2014, the bad guys will certainly take advantage of future unpatched exploits in XP, and the fools that keep XP online will be the victims.
        Why_Not_Me