For weeks now, Symantec has been downplaying the risk to its customers from a security breach in which a hacker stole source code and released it into the wild.
But customers of at least three of Symantec’s current products are at risk of a hack attack, and Symantec’s full warning was hidden in a hard-to-find white-paper.
The company has warned customers of Symantec’s pcAnywhere product to turn it off until it is patched. The company has issued one patch so far and is working on more. pcAnywhere is also used in Symantec’s other products, which means that users of these are also exposed.
“With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits,” Symantec said in a whitepaper released on Monday innocuously named Symantec pcAnywhere Security Recommendations.
“At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,” the whitepaper stated. “Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product. pcAnywhere is also bundled in three Symantec products, Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1.”
On the company’s home page today, days after it published the whitepaper, is a link to an article called “Claims by Anonymous about Symantec Source Code” in which the company fails to advise customers to turn off pcAnywhere. It simply tells them to “only use pcAnywhere for business critical purposes” and links to a blog post (which contains a link to the whitepaper).
Fortunately, computer trade press publications like ITworld noticed and read the whitepaper and warned Symantec’s customers.
The ultimately irony is that Symantec’s advertising tagline is: “Confidence in a connected world.”
Symantec could not be reached for comment.