Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/26/2012
06:51 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Six-Year-Old Breach Comes Back To Haunt Symantec

Security firm warns users to halt use of pcAnywhere until it finishes patching it, but says older Norton products not at risk from previously 'inconclusive' 2006 security incident

There are security advisories and there are patches, but rarely are there outright warnings from a software vendor -- much less a security vendor -- to its customers to stop running one of its products. That’s the latest twist in a recently revealed breach that exposed some source code in Symantec’s software.

In an unusual move, Symantec yesterday issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now. The company released a patch that fixes some vulnerabilities (PDF), including one that allows remote code execution, and says more patches are forthcoming.

The move was a drastic shift in Symantec’s reaction to the breach when it first came to light earlier this month: The security firm at that time confirmed that “a segment of its source code” had been exposed, but that it did not affect the Norton line of products, and that the breach had occurred via a third-party, not on Symantec’s own network.

Last week the company revealed it had indeed been hacked in 2006, and the source code for the software products was exposed.

The exposed source code specifically affects the older 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere. The current versions of all of these products -- except for pcAnywhere -- are safe from any fallout of the breach, according to Symantec.

Why the lag time from the 2006 breach and today's warning?

Brian Modena, director of worldwide communications for Symantec, says the company’s findings of a security incident in 2006 at the time were “inconclusive.”

"Symantec was aware that an incident occurred in 2006. We investigated the incident, but our findings were inconclusive at the time," Modena says. It was when the company learned that the Anonymous hacktivist group had gotten hold of its source code that the company went back to reinvestigate the incident of six years ago.

“It was clear that Anonymous was in possession of the code that was stolen, and that was when it was confirmed to us that code had been stolen for sure. Having said that, we have yet to determine who stole the code in 2006,” Modena says. “Anonymous was in possession of it in 2012, but that does not mean they actually stole it; we think not, given that Anonymous didn’t exist in 2006, and we most assuredly would’ve heard about it during the preceding years.”

While an Anonymous-affiliated group has claimed to have stolen the source code from an Indian government agency, Symantec has no record of sharing any code with any government agencies in India, Modena says.

The so-called Lords of Dharmaraja hacking clan claims to have grabbed Symantec's Norton antivirus source code.

It's not unusual for a company to initially be unable to tell what was stolen in a breach or how one breach is connected to another. "Honestly, the toughest part of incident response is being able to tell what the bad guy took," says Richard Bejtlich, CSO at Mandiant. "It can be fairly difficult to connect the dots to say what happened at one point and how it related to something else ... [Symantec] probably took a second look at their forensic evidence," he says.

[Questions surround 'Lords of Dharmaraja' hackers behind attacks on Symantec and others. See China Not The U.S.'s Only Cyber-Adversary.]

It's the encoding and encryption pieces of pcAnywhere that are vulnerable in the wake of the breach: Attackers could wage man-in-the middle attacks and steal credentials or sniff session information, according to Symantec. Another side effect is the attacker being able to initiate malicious remote-control sessions to steal information or to access systems. "If the malicious user obtains the cryptographic key, they have the capability to launch unauthorized remote control sessions," according to Symantec's white paper.

The worst-case scenario for pcAnywhere is that the bad guys who have the source code can find new bugs and write new exploits. "Additionally, customers that are not following general security best practices may be susceptible to man-in-the-middle type attacks, which can reveal authentication and session information," Symantec's Modena says.

Security experts say Symantec's recommendation to halt use of its software is highly unusual and indicates that another shoe could drop.

“I can’t think of any other time a company has come outright and said, 'Stop using our product until we patch it,’” says Chris Eng, vice president of research at Veracode, who notes that the advisory reveals some interesting points when it comes to the remote code execution vulnerabilities. "It looks like it allows remote source code execution on the server without authentication. If so, that's a big deal.

"Those sorts of things -- remote command execution, remote code execution -- get reported all the time, but they never say, 'Discontinue use of the product.'" Eng says.

Meanwhile, Symantec says users should move to version 12.5 of pcAnywhere and install the latest patches, including the Jan. 24 patch for the Windows version. "Additional patches are planned for pcAnywhere 12.0, pcAnywhere 12.1, and pcAnywhere 12.5 in the coming weeks. Symantec will continue to issue patches as needed until a new version of pcAnywhere is released," Symantec's Modena says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joes12
50%
50%
joes12,
User Rank: Apprentice
1/30/2012 | 4:45:17 AM
re: Six-Year-Old Breach Comes Back To Haunt Symantec
But this breach has created high risk for Symantec users,and symantec themselves has said their users to uninstall their products.
paparocks
50%
50%
paparocks,
User Rank: Apprentice
1/27/2012 | 2:11:26 PM
re: Six-Year-Old Breach Comes Back To Haunt Symantec
I recall reading in an article a few days ago, the statement that this was stolen from an India source came from Anonymous,- Anonymous's actions are concerning enough without misquoting the sources.- Lets remember this act is an attack on-people and who the bad guys are here please.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...