Symantec says it has fewer than 50,000 users of pcAnywhere, a remote-access program that has been around for decades. It now says, for safety’s sake, those users should pull the plug. Immediately.
PCAnywhere was ancient in June 1996, when Symantec shipped pcAnywhere 7.5 for Windows 95 and Windows NT Workstation 4.0. That’s the oldest press release I can find online, and it’s introducing version 7.5. The product already had seven releases at the dawn of the Windows era. And the software industry didn’t run at Internet speed back then.
People are still using versions even older than that. I am pretty sure the MS-DOS version of the remote-access program goes back to the late 1980s. And yet I found a support request on Symantec’s forums from May 2010—less than two years ago—from someone who needed to connect to a computer running MS-DOS 6.22 and PC Anywhere 5.0 for DOS.
This was well into the 21st Century.
pcAnywhere version 12.0 shipped in 2006. It’s had incremental releases since then, but Symantec hasn’t found any of those events important enough to issue a press release.
Let’s paint this picture in stark black and white: This is a six-year-old software program, built on decades of legacy code written in pre-Internet days, that is now in maintenance mode. Or, if you prefer, on life support.
And now Symantec is urging its users to pull the plug, at least temporarily. The company revealed the gory details this morning not in a press release, but in a 10-page white paper (PDF):
Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
I wouldn’t be worried about those antivirus and security programs. They have been regularly updated and heavily rearchitected since 2006, with significant upgrades every year. But pcAnywhere has been in maintenance mode, a forgotten product.
Symantec says fewer than 50,000 people are still using pcAnywhere. And now the company says, in no uncertain terms, they should stop:
With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.
At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein. [emphasis added]
I am not sure I have ever heard of a company advising its customers to stop using a product completely because it was too dangerous. But apparently the risk with pcAnywhere is so great that this is the only sane option.
There are many, many modern alternatives to allow secure external access to your business network or your home PC. If you’ve been hanging on to pcAnywhere, you’re now officially out of excuses to switch.
Update: Reached for comment, a Symantec spokesperson replied vie e-mail with a statement that repeated, almost word for word, the advice contained in the white-paper advisory. The spokesperson also referred customers to a Symantec site that hosts information on the breach: