January 27, 2012

Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.

On Thursday, Trend Micro said it had encountered malware that leverages a vulnerability in the way Windows handles certain media files. This is a browse-and-get-owned flaw for Windows XP, Windows Vista, Windows Server 2003 and 2008 users, meaning these folks can infect their machines merely by browsing to a hacked or malicious site hosting a specially crafted media file. If you run Windows and have delayed installing this month’s updates, consider taking care of that now by visiting Windows Update.

Trend Micro competitor Symantec also issued a warning this week — about threats to its own software. Responding to a now widely-publicized break-in that resulted in the theft of its proprietary source code in 2006, Symantec issued a 10-page white paper with recommendations for customers still using this software. The company says fewer than 50,000 people are still using pcAnywhere, but those who are should consider applying newly-released updates, or removing the program altogether.

From that whitepaper (PDF):

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

On Thursday, Symantec released updates to address at least three security vulnerabilities in pcAnywhere 12.5 for Windows. The company said it plans to issue additional updates for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5, although it didn’t say precisely when those updates would be available.

It’s generally a bad idea to leave remote administration tools like pcAnywhere always on and always accessible via the Internet. If you must use them, I’d strongly recommend limiting allowable connections to specific computer names or Internet addresses, limiting the number of consecutive logon attempts, and — if feasible– incorporating some type of token based solution.

7 thoughts on “Warnings About Windows Exploit, pcAnywhere

  1. Peterj

    The “50,000” number for users of pcAnywhere is really deceiving. It appears to only count the full stand-alone pcAnywhere product users.

    With pcAnywhere included in the Altiris management suite and Symc backup products, I would bet that many more people are running pcAnywhere that we know.
    We’ll be pushing the patch to our 2,000+ Altiris managed desktop shortly…

  2. Thriller is occult brainwashing

    We’ll know our disinformation program is complete when everything the American public believes is false.– William Casey, CIA Director (from first staff meeting in 1981)

  3. FK

    Until a few days ago Symatec considers the pcAnywhere software safe and sound, and then when the source code is released suddenly pcAnywhere is completely insecure and must not be used.

    They did not know?

    I’ll stick with open source solutions, you know what you get, and there is not so much opportunity for the software supplier to be dishonest.

  4. Steve

    …since every Nortel product using a Wintel box has a copy of PCAW on it. Even when it was in business, Nortel didn’t patch Nortel products. Avaya certainly isn’t going to patch it, now. Callpilot, anyone?

  5. batsec

    It is a great misfortune for pcAnywhere users. Some of my best friends also use pcAnywhere to reach their remote customer sites at work.
    I guess it’s a better idea to disable this product until the firm releases a final set of software updates that resolve currently known vulnerability risks.

Comments are closed.