Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws. The most severe of the two holes allows hackers to remotely inject code into vulnerable systems - made possible because a service on TCP port 5631 permits a fixed-length buffer overflow …
"weaponised into exploits by hackers"
I prefer the term haxsploited meself :)
Anyway, I always thought PCAnwhere was just the PC equivalent of X and inherently insecure.
Friday afternoon X wars were always a favourite - trying to sneak a few google eyes and cockroaches under the other guys' windows before he noticed and then hitting him with the script that filled his screen with ants and flying santa claus and snow etc.
Thems were the days.
Who can remind me
Who can remind me why anyone uses this stuff rather than a well chosen free-to-use/open-souce VNC-based equivalent?
windows remote desktop ?
I'll remind you
Back in the day, companies didn't have TCP/IP as it was hard to configure. Furthermore setting up a Remote Access Server with Windows and TCP/IP was to hard for most companies.
PC Anywhere simply allowed you to slam an ISDN card or modem into your Server and dial it up with minimal configuration. It was, more or less, a plug and play solution. Plus it offered file transfers (sometimes limited in speed to a few hundred bytes per second) and a 1-Bit mode which reduced the image to black and white which really sped things up a lot.
Of course by today there is little need for PC Anywhere. Everything it does can be done cheaper and more convenient with other methods. I guess some companies just kept it installed. I'm sure there are still companies using it over ISDN.
VNC secure? That a joke?
VNC itself has almost no security whatsoever. In order to not give up pretty much everything to miscreants you have to tunnel it over SSH by yourself. (and hope you're not using one of the plethora of SSH versions with their own security holes)
It also doesn't have 1/10th the functionality that PCAW has.
That said, Symantec's decision to keep mum for 5 years about a serious breach of security-critical sourcecode is outrageous, especially for a company which is now one of the top IT security product vendors in the world. (And I'm not just talking about Norton antivirus - Symantec took over Verisign's SSL business, a major security forum/mailing-list, and sells all sorts of corporate security products as well.)
"r a company which is noT one of the top IT security product vendors in the world."
Fixed it for you.
...and is this Windows only?
Is this Windows only?
I do know the hotfix won't install on Linux ..
"apply hotfix in TECH179526"
Not a big deal for most
I doubt this is a real issue for most and the hotfix should eliminate the issue. Hopefully they nail a few more hackers trying to infiltrate.
Not a big deal
PC Anywhere is BANNED from use where I work, and the last place I worked, so this is not a problem for us.
InsecurITy software only used by out-of-school sysadmins
As Framitz indicates, most companies have banned PC Anywhere since the early DoS vulnerabilities
The current struggle is forcing off-shore support to stop infecting every server they touch with old versions of Dameware
PC Anywhere Banned?
All non-aproved remote access software is banned where I work. It's RDP, X, SSH, Proliant iLO or nothing.
To be honest, I used to work for a company in the days of NT4 and PCA was an essential product. MS released RDP for remote admin in Win2000, but what had actually killed PCA off for us was the then Compaq Lights Out board which was far more functional than any other remote access solution.
"This line of attack ought to be blocked by a properly configured firewall"
So it seems I know even less about firewalls than I thought. How does a firewall prevent a buffer overflow (in another app) through a tcp socket, except by closing the port? Any help?
And while I'm here "...to leverage this". I think the word you want is 'use'.
Same question here
"How does a firewall prevent a buffer overflow (in another app) through a tcp socket, except by closing the port? Any help?"
I think the news item writer might have blown it. Or, maybe I am missing something too.
You would have to do packet inspection that looked for the specific exploit to be able to block this. A regular firewall would either have the port wide open or would be port forwarding the packets blindly.
Your properly configured firewall...
...may be set up to filter on source of the port, via IP address, mac address, etc.
Re: How does a firewall prevent a buffer overflow
Hmmm, the way I read it, I thought by setting max packet length
iptables -A INPUT -p tcp --dport 5631 -m length --length $maxlength: -j DROP
Or something like that. But as the article says, it would be stupid to rely on this. I'm also wondering if commercial (hardware) firewall vendors would include this kind of fine grained rules per default. I somehow doubt it, but it would be interesting to ask.
How much easier it is with X and Linux. Used to use PC Anywhere a long time ago on Windows but it was slow as hell, mostly due to Windows I suppose.
It was slow when I used it...
...but that was over a dialup modem.
And that might not have been a fast one.
It was a cool program that allowed us to check the health of a factory at the other end of the UK without the required flights.
And secure too. The factory only plugged the modem into the phone line when we told them to.
Mostly do to Windows and modem speed.
Used it a fair bit at my last job. When Symantec acquired Altiris, they made PCAnywhere the remote control agent for the deployment management suite. It put less load on the cpu of the local pc than the "emergency" remote solution which was directly implemented in the deployment console. Since the agent was sitting on the local net, PCAnywhere ran as quickly as any other remote solutions we'd used in the past.
Nasty piece of crap. Can't stand it.
Or maybe its just been set up to be aggressive by Global IT. Bloody GIT keeps scheduling intensive tasks (monthly virus scan, software audit etc) to trigger during the day, not at night when my PC is on and idle.
better of using sub7 or infector 1.7b anyway, with the startup folder way
"Neither flaw has been weaponised into exploits by hackers, reckons Symantec"
Yet 5 days before the publication of the first advisory, an exploit to do with the login was being talked about in hacker circles and by anonymous. So I would take Syrmantec's statement with a pinch of salt. The private 0-day exploit has been in use imo.
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip