New pcAnywhere Vulnerability Identified, 200,000 Systems At Risk
February 23, 2012

New pcAnywhere Vulnerability Identified, 200,000 Systems At Risk

Malicious code targeting a newly identified vulnerability in Symantec's pcAnywhere remote control product has been published online, exposing users to potential attacks that disrupt the software's capabilities.

The disclosure comes just one month after Symantec made the unprecedented move of advising pcAnywhere users to disable or uninstall the program because hackers had obtained the remote access software's source code.   Days later, Symantec said it had patched all the known vulnerabilities in pcAnywhere and gave the product a clean bill of health.

As many as 200,000 systems could be hijacked by hackers exploiting the pcAnywhere bugs, including as many as 5,000 running point-of-sale programs that collect consumer credit card data, ComputerWorld reported on Wednesday.

Johnathan Norman, director of security research at network security vendor Alert Logic, posted the exploit code on Friday on the Pastebin website, saying the code could be used to crash a critical pcAnywhere service known as awhost32.

Norman said that since the denial-of-service (DoS) condition is not persistent, because the awhost32 process is restarted automatically, the attackers would need to execute the exploit in a loop to cause longer disruptions.

This is just one of many vulnerabilities Norman says he found in pcAnywhere while examining a more severe remote code execution flaw patched by Symantec last month.

"Not sure what I'm going to do with all of them," Norman wrote in a blog post on Friday, adding that the exploit works against fully patched versions of pcAnywhere.

Symantec has not provided any additional details to date, but a company spokesman said the firm is “aware of [Norman's] proof-of-concept code and is investigating the claims."

The latest revelations follow an incident earlier this month when hackers associated with the group Anonymous publicly disclosed the pcAnywhere´s source code on the Internet.

And in early January, after the source code had initially been stolen, Symantec recommended that pcAnywhere users disable the program until it could issue patches for several vulnerabilities.  Later that month, Symantec released several fixes and said the matter had been resolved.

However, the leak of pcAnywhere´s source code could potentially result in the identification of new vulnerabilities.

Indeed, an anonymous review of the leaked pcAnywhere files found that the application has not changed much in recent years, and that the current version is likely a continuation of the old code base, rather than a rewrite.

While the analysis did not claim to identify any new vulnerabilities, the author noted that the source code also revealed the workings of LiveUpdate, the Symantec service used to update much of its software, including its consumer antivirus programs.

"We now know how their LiveUpdate system works thanks to the included architecture plans and full source code," wrote the researcher.


On the Net: