Symantec advises customers to stop using pcAnywhere

In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued.

According to a white paper the company has published on Wednesday, the risks for the users are the following:

  • Man-in-the-middle attacks (depending on the configuration and use of the product) because of vulnerable encoding and encryption elements within the software.
  • If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network.
  • If the attackers place a network sniffer on a customer’s internal network and have access to the encryption details, the pcAnywhere traffic – including exchanged user login credentials – could be intercepted and decoded.

The white paper also contains security recommendations for minimizing the potential risk of using the software, since some customers cannot stop using it because its of critical importance to their business.

Apart from being a standalone product, pcAnywhere is also bundled in three Symantec products – Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1.

Also on Wednesday, Symantec released a hotfix for two critical vulnerabilities in pcAnywhere that seemed not connected to the theft of the software’s old source code.

In the meantime, ISC has warned that some data indicates that “someone started scanning around for services on port 5631 (pcAnywhere). While the number of sources is still relatively low (indicating a single scanner, or a small number of them), the number of targets is pretty high.”

Martin McKeay, Security Evangelist at Akamai Technologies, points out that most remote desktop applications are directly exposed to the Internet because they are used by service providers for troubleshooting their clients’ network equipment, and that that is unlikely to change in the near future. “The service provider model requires remote tools, otherwise the travel time to and from locations kills any chance of making a profit. Which means the folks who want compromise systems and steal credit cards are going to continue to have access to the remote desktop solutions,” he concluded.