A month after Symantec (NASDAQ:SYMC) acknowledged that some source codes for its network and products were stolen back in 2006, some consumers who rely on its antivirus software to safeguard their systems are still working with versions of the program that may be afflicted with security flaws, according to Rapid7.
The research firm originally said that as many as 200,000 pcAnywhere systems could be hijacked while connected to the Internet, but later revised its assessment to say the systems are “exposed,” including about 140,000 that may be vulnerable to a security exploit recently released for pcAnywhere. The exploit currently does not have a fix associated with it, but so far is just a denial of service flaw, Rapid 7 said.
Last month Symantec took the unusual step of advising users of its pcAnywhere software suite, which is designed to allow users to securely connect to a host computer from a remote PC, to disable the product until it deployed patches, which it later did. But the Mountain View, Calif.-based company apparently never provided a patch for all versions of the software, so it’s possible that while those users of those versions are on the Internet, a hacker could take control of the host computer and view content that’s on the screen.
Rapid7’s chief security officer, HD Moore, told Computer World that he discovered the vulnerabilities while scanning the Internet for the transmission-control protocol port the software leaves open for incoming commands. More-targeted scans revealed pcAnywhere programs that were older than those that the Symantec patches were designed to accommodate
Unfortunately for Symantec, there are other dimensions to the pcAnywhere problem. Hackers have found new ways to exploit Symantec’s recent repairs. One published a new code this week on the Internet that could be used to crash any copy of pcAnywhere. Another has disclosed the workings of LiveUpdate, a Symantec service used to update much of its software, including Norton Antivirus.
It’s important to note, though, that when Symantec acknowledged that its system had been compromised, it in fact never actually claimed to have fixed the problem in its entirety. Instead, the global provider of security systems said that it had provided patches for all “known” vulnerabilities. Meanwhile, security specialists in other quarters got busy. It’s hardly unusual for security firms to highlight flaws in competitors’ products, but it’s usually puzzling—and often troubling—to customers and investors when a security company seems to struggle to thoroughly address all known vulnerabilities in its own products.