After having been notified by Symantec about the theft of the software’s old source code and the increased security risk that incident entails for them, users of the company’s pcAnywhere remote control application have been hit with more bad news.
According to Symantec’s own security advisory, a critical vulnerability that could allow attackers to elevate their privilege and remotely execute arbitrary code has been discovered.
“The remote code execution is the result of not properly validating/filtering external data input during login and authentication with Symantec pcAnywhere host services on 5631/TCP,” it was explained. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.”
Even though the company says that the vulnerability hasn’t been spotted being exploited in the wild, it reacted quickly and made available a hotfix to resolve this issue.
Another vulnerability will also be patched with it, making some files uploaded to the system during the software’s installation not writable and, thus, unsusceptible to file tampering.
The company has not commented on whether the discovery of the flaws is tied to the aforementioned theft of code, but judging by the fact that two security researchers working for reputable companies have been credited for the bugs’ discovery, the connection is highly unlikely.