Six-Year-Old Breach Comes Back To Haunt Symantec

There are security advisories and there are patches, but rarely are there outright warnings from a software vendor -- much less a security vendor -- to its customers to stop running one of its products. That’s the latest twist in a recently revealed breach that exposed some source code in Symantec’s software.

In an unusual move, Symantec yesterday issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now. The company released a patch that fixes some vulnerabilities (PDF), including one that allows remote code execution, and says more patches are forthcoming.

The move was a drastic shift in Symantec’s reaction to the breach when it first came to light earlier this month: The security firm at that time confirmed that “a segment of its source code” had been exposed, but that it did not affect the Norton line of products, and that the breach had occurred via a third-party, not on Symantec’s own network.

Last week the company revealed it had indeed been hacked in 2006, and the source code for the software products was exposed.

The exposed source code specifically affects the older 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere. The current versions of all of these products -- except for pcAnywhere -- are safe from any fallout of the breach, according to Symantec.

Why the lag time from the 2006 breach and today's warning?

Brian Modena, director of worldwide communications for Symantec, says the company’s findings of a security incident in 2006 at the time were “inconclusive.”

"Symantec was aware that an incident occurred in 2006. We investigated the incident, but our findings were inconclusive at the time," Modena says. It was when the company learned that the Anonymous hacktivist group had gotten hold of its source code that the company went back to reinvestigate the incident of six years ago.

“It was clear that Anonymous was in possession of the code that was stolen, and that was when it was confirmed to us that code had been stolen for sure. Having said that, we have yet to determine who stole the code in 2006,” Modena says. “Anonymous was in possession of it in 2012, but that does not mean they actually stole it; we think not, given that Anonymous didn’t exist in 2006, and we most assuredly would’ve heard about it during the preceding years.”

While an Anonymous-affiliated group has claimed to have stolen the source code from an Indian government agency, Symantec has no record of sharing any code with any government agencies in India, Modena says.

The so-called Lords of Dharmaraja hacking clan claims to have grabbed Symantec's Norton antivirus source code.

It's not unusual for a company to initially be unable to tell what was stolen in a breach or how one breach is connected to another. "Honestly, the toughest part of incident response is being able to tell what the bad guy took," says Richard Bejtlich, CSO at Mandiant. "It can be fairly difficult to connect the dots to say what happened at one point and how it related to something else ... [Symantec] probably took a second look at their forensic evidence," he says.

[Questions surround 'Lords of Dharmaraja' hackers behind attacks on Symantec and others. See China Not The U.S.'s Only Cyber-Adversary.]

It's the encoding and encryption pieces of pcAnywhere that are vulnerable in the wake of the breach: Attackers could wage man-in-the middle attacks and steal credentials or sniff session information, according to Symantec. Another side effect is the attacker being able to initiate malicious remote-control sessions to steal information or to access systems. "If the malicious user obtains the cryptographic key, they have the capability to launch unauthorized remote control sessions," according to Symantec's white paper.

The worst-case scenario for pcAnywhere is that the bad guys who have the source code can find new bugs and write new exploits. "Additionally, customers that are not following general security best practices may be susceptible to man-in-the-middle type attacks, which can reveal authentication and session information," Symantec's Modena says.

Security experts say Symantec's recommendation to halt use of its software is highly unusual and indicates that another shoe could drop.

“I can’t think of any other time a company has come outright and said, 'Stop using our product until we patch it,’” says Chris Eng, vice president of research at Veracode, who notes that the advisory reveals some interesting points when it comes to the remote code execution vulnerabilities. "It looks like it allows remote source code execution on the server without authentication. If so, that's a big deal.

"Those sorts of things -- remote command execution, remote code execution -- get reported all the time, but they never say, 'Discontinue use of the product.'" Eng says.

Meanwhile, Symantec says users should move to version 12.5 of pcAnywhere and install the latest patches, including the Jan. 24 patch for the Windows version. "Additional patches are planned for pcAnywhere 12.0, pcAnywhere 12.1, and pcAnywhere 12.5 in the coming weeks. Symantec will continue to issue patches as needed until a new version of pcAnywhere is released," Symantec's Modena says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.