Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws. The most severe of the two holes allows hackers to remotely inject code into vulnerable systems - made possible because a service on TCP port 5631 permits a fixed-length buffer overflow …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 25th January 2012 16:41 GMT Sir Runcible Spoon

Sir

"weaponised into exploits by hackers"

I prefer the term haxsploited meself :)

Anyway, I always thought PCAnwhere was just the PC equivalent of X and inherently insecure.

Friday afternoon X wars were always a favourite - trying to sneak a few google eyes and cockroaches under the other guys' windows before he noticed and then hitting him with the script that filled his screen with ants and flying santa claus and snow etc.

Thems were the days.

5 0
Wednesday 25th January 2012 17:03 GMT Anonymous Coward

Who can remind me

Who can remind me why anyone uses this stuff rather than a well chosen free-to-use/open-souce VNC-based equivalent?

5 4
1. Wednesday 25th January 2012 17:11 GMT JimmyPage
  
  Or indeed
  
  windows remote desktop ?
  
  4 2
2. Wednesday 25th January 2012 21:27 GMT Christian Berger
  
  I'll remind you
  
  Back in the day, companies didn't have TCP/IP as it was hard to configure. Furthermore setting up a Remote Access Server with Windows and TCP/IP was to hard for most companies.
  
  PC Anywhere simply allowed you to slam an ISDN card or modem into your Server and dial it up with minimal configuration. It was, more or less, a plug and play solution. Plus it offered file transfers (sometimes limited in speed to a few hundred bytes per second) and a 1-Bit mode which reduced the image to black and white which really sped things up a lot.
  
  Of course by today there is little need for PC Anywhere. Everything it does can be done cheaper and more convenient with other methods. I guess some companies just kept it installed. I'm sure there are still companies using it over ISDN.
  
  5 0
3. Thursday 26th January 2012 08:42 GMT Phil Koenig
  
  VNC secure? That a joke?
  
  VNC itself has almost no security whatsoever. In order to not give up pretty much everything to miscreants you have to tunnel it over SSH by yourself. (and hope you're not using one of the plethora of SSH versions with their own security holes)
  
  It also doesn't have 1/10th the functionality that PCAW has.
  
  That said, Symantec's decision to keep mum for 5 years about a serious breach of security-critical sourcecode is outrageous, especially for a company which is now one of the top IT security product vendors in the world. (And I'm not just talking about Norton antivirus - Symantec took over Verisign's SSL business, a major security forum/mailing-list, and sells all sorts of corporate security products as well.)
  
  2 0
  1. Thursday 26th January 2012 09:51 GMT Anonymous Coward
    
    "r a company which is noT one of the top IT security product vendors in the world."
    
    Fixed it for you.
    
    1 0
Wednesday 25th January 2012 17:07 GMT Anonymous Coward

...and is this Windows only?

^^See title

0 2
Wednesday 25th January 2012 17:45 GMT Microphage

Is this Windows only?

I do know the hotfix won't install on Linux ..

"apply hotfix in TECH179526"

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00

0 0
Wednesday 25th January 2012 17:55 GMT Anonymous Coward

Not a big deal for most

I doubt this is a real issue for most and the hotfix should eliminate the issue. Hopefully they nail a few more hackers trying to infiltrate.

0 1
Wednesday 25th January 2012 18:06 GMT Framitz

Not a big deal

PC Anywhere is BANNED from use where I work, and the last place I worked, so this is not a problem for us.

2 1
1. Thursday 26th January 2012 06:14 GMT TheRegistrar
  
  InsecurITy software only used by out-of-school sysadmins
  
  As Framitz indicates, most companies have banned PC Anywhere since the early DoS vulnerabilities
  
  http://www.cvedetails.com/vulnerability-list/vendor_id-76/product_id-423/Symantec-Pcanywhere.html
  
  The current struggle is forcing off-shore support to stop infecting every server they touch with old versions of Dameware
  
  http://www.cvedetails.com/vulnerability-list/vendor_id-2014/Dameware-Development.html
  
  0 0
2. Thursday 26th January 2012 13:03 GMT Anonymous Coward
  
  PC Anywhere Banned?
  
  All non-aproved remote access software is banned where I work. It's RDP, X, SSH, Proliant iLO or nothing.
  
  To be honest, I used to work for a company in the days of NT4 and PCA was an essential product. MS released RDP for remote admin in Win2000, but what had actually killed PCA off for us was the then Compaq Lights Out board which was far more functional than any other remote access solution.
  
  1 0
Wednesday 25th January 2012 19:28 GMT BlueGreen

"This line of attack ought to be blocked by a properly configured firewall"

So it seems I know even less about firewalls than I thought. How does a firewall prevent a buffer overflow (in another app) through a tcp socket, except by closing the port? Any help?

And while I'm here "...to leverage this". I think the word you want is 'use'.

3 0
1. Wednesday 25th January 2012 22:19 GMT 437T
  
  Same question here
  
  "How does a firewall prevent a buffer overflow (in another app) through a tcp socket, except by closing the port? Any help?"
  
  I think the news item writer might have blown it. Or, maybe I am missing something too.
  
  You would have to do packet inspection that looked for the specific exploit to be able to block this. A regular firewall would either have the port wide open or would be port forwarding the packets blindly.
  
  2 0
2. Thursday 26th January 2012 07:02 GMT Wize
  
  Your properly configured firewall...
  
  ...may be set up to filter on source of the port, via IP address, mac address, etc.
  
  0 0
3. Thursday 26th January 2012 12:50 GMT /dev/me
  
  Re: How does a firewall prevent a buffer overflow
  
  Hmmm, the way I read it, I thought by setting max packet length
  
  iptables -A INPUT -p tcp --dport 5631 -m length --length $maxlength: -j DROP
  
  Or something like that. But as the article says, it would be stupid to rely on this. I'm also wondering if commercial (hardware) firewall vendors would include this kind of fine grained rules per default. I somehow doubt it, but it would be interesting to ask.
  
  0 0
Thursday 26th January 2012 00:37 GMT Lars

Funny

How much easier it is with X and Linux. Used to use PC Anywhere a long time ago on Windows but it was slow as hell, mostly due to Windows I suppose.

1 1
1. Thursday 26th January 2012 07:05 GMT Wize
  
  It was slow when I used it...
  
  ...but that was over a dialup modem.
  
  And that might not have been a fast one.
  
  It was a cool program that allowed us to check the health of a factory at the other end of the UK without the required flights.
  
  And secure too. The factory only plugged the modem into the phone line when we told them to.
  
  0 0
2. Thursday 26th January 2012 14:02 GMT Anonymous Coward
  
  Mostly do to Windows and modem speed.
  
  Used it a fair bit at my last job. When Symantec acquired Altiris, they made PCAnywhere the remote control agent for the deployment management suite. It put less load on the cpu of the local pc than the "emergency" remote solution which was directly implemented in the deployment console. Since the agent was sitting on the local net, PCAnywhere ran as quickly as any other remote solutions we'd used in the past.
  
  0 0
  1. Sunday 29th January 2012 19:27 GMT Anonymous Coward
    
    Altiris?
    
    *spit*
    
    Nasty piece of crap. Can't stand it.
    
    Or maybe its just been set up to be aggressive by Global IT. Bloody GIT keeps scheduling intensive tasks (monthly virus scan, software audit etc) to trigger during the day, not at night when my PC is on and idle.
    
    0 0
Thursday 26th January 2012 08:04 GMT Zmodem

better of using sub7 or infector 1.7b anyway, with the startup folder way

0 0
Thursday 26th January 2012 10:11 GMT Anonymous Coward

Hmmm

"Neither flaw has been weaponised into exploits by hackers, reckons Symantec"

Yet 5 days before the publication of the first advisory, an exploit to do with the login was being talked about in hacker circles and by anonymous. So I would take Syrmantec's statement with a pinch of salt. The private 0-day exploit has been in use imo.

2 0