“Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits,” Symantec says. “Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.”

PcAnywhere allows remote users to connect to a host, using an Internet or LAN connection and an access password. The program runs on multiple platforms, including Microsoft Windows, Linux, Mac OS X, and Pocket PC.

“Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product,” Symantec says. PcAnywhere is also bundled in three Symantec products, Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1. In addition, customers with earlier versions of Altiris suites may have opted to leverage pcAnywhere. The increased risk is isolated to the pcAnywhere components only. There are no known impacts to the rest of the components in the Altiris products or the pcAnywhere Solution component that provides integration between pcAnywhere and the Symantec Management Console. Customers should validate the remote control tools currently in use.”

Pc Anywhere users could be exposed to “man in the middle” attacks, meaning that data exchanged between a remote user and the host could be intercepted. If the malicious user gains access to passwords used to log on to the host, he could gain access to corporate networks. Users are also at risk of remote code injection. Symantec has released a White Paper (available here) to provide remediation steps to maintain the protection of their devices and information until security patches are released.

Symantec warns users about possible exploits in its remote access program pcAnywhere and recommends disabling the remote access software suite until patches are released to resolve the issue. Photo: EL

After discovering the vulnerability in its research labs in Helsinki, integrated network security and business continuity solutions provider Stonesoft sent samples of AET’s to the national computer security incident response team CERT in Finland as well as ICSA Labs, an independent division of Verizon Business that offers third-party testing and certification of security products and network-connected devices. Charged with globally coordinating the remediation of the identified vulnerabilities with network security vendors, CERT issued a vulnerability statement about the exploits.

"We have reason to believe that we have seen just the tip of the iceberg," said Juha Kivikoski, chief operating officer at Stonesoft. "The dynamic and undetectable nature of these advanced evasion technique has the potential to directly affect the network security landscape. The industry is facing a non-stop race against this type of advanced threats and we believe only dynamic solutions can address this vulnerability."

Researchers discovered the new threats while testing a new network security solution using the latest and most advanced attacks. Field tests and experimental data show many of the existing network security solutions fail to detect AET’s and thus fail to block the attack inside, Stonesoft says. Hackers across the globe may already use the new exploits in advanced, targeted attacks.  With only a select few products available to provide protection, organizations may be challenged to protect their systems quickly.

"Stonesoft has discovered new ways AET’s can evade many network security systems," said Jack Walsh, intrusion detection and prevention program manager at ICSA Labs.  "We were able to validate Stonesoft’s research and believe that these advanced evasion techniques can result in lost corporate assets with potentially serious consequences for breached organizations."

The best defense against the dynamic and ever-evolving nature of AET’s is delivered through flexible, software-based security systems with remote update and centralized management capabilities, Stonesoft says. However, most organizations today use static hardware-based solutions, which can be difficult to update.

The picture shows a network interface card (NIC). Photo: www.imagine-your-world.com

"Over the last decade, CIOs have frequently seen IT budgets held tight or even reduced. The reaction has been to still deliver quality of service for operational services and to use any potential project spend to deliver new functionality to the rest of the business," said Andy Kyte, vice president and Gartner fellow. "The bulk of the budget cut has fallen disproportionately on maintenance activities - the upgrades that keep the application portfolio up-to-date and fully supported. There is little problem if this is done in one year, or even in two years, but year after year of deferred maintenance means that the application portfolio risks getting dangerously out of date."

As businesses continue to invest in business value-added projects that add more functionality and complexity into the existing and aging portfolio, the size of the IT debt grows as well, because the additional functionality and complexity will need to be maintained and upgraded to a more-reliable state at some point in the future.

"A modern enterprise or public sector organization is likely to be critically dependent on a number of business applications,” said Kyte. "Each one is at a particular point in a complex life cycle; each one is slowly but inevitably diverging from its ideal state toward a suboptimal state, and potentially toward obsolescence or failure. While it is true that there has never been an IT organization without a backlog of maintenance activity, the scale of the problem is significantly greater than it has ever been."

IT leaders should produce an annual report on the status of the application portfolio, Gartner recommends. The report should detail the status of the application portfolio in terms that the rest of the business can readily absorb, detailing the number of applications in use, the number acquired, the number decommissioned, and the current and projected costs of both operating and sustaining or improving the integrity of the application assets.

The picture shows the first portable Apple Macintosh computer, released in 1989. Photo: Public Domain

"We're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability," said Christopher Budd, a senior security response manager at Microsoft. "We firmly believe that releasing the update out-of-band is the best thing to do to help protect our customers."

Windows incorrectly parses shortcuts in a way that allows malicious code to be executed when the icon of a shortcut is displayed, Microsoft says. The vulnerability can be exploited remotely via network shares and WebDAV and locally through a malicious USB drive. Some types of documents that support embedded shortcuts can also be used to gain access and ultimately control over the computer.

The vulnerability was first found in July, and Microsoft published a workaround solution on July 16 saying that users should disable icons for shortcuts and the WebClient service. According to the Microsoft Malware Protection Center's Threat Research & Response Blog, hackers did gain temporary access to more than 8,000 computers by the end of July.

The patch will be released today at around 1.00 p.m.

"In the last two years, the software used to create the Mariposa botnet was sold to hundreds of other criminals, making it one of the most notorious in the world," said FBI Director Robert S. Mueller in a press release. "These cyber intrusions, thefts, and frauds undermine the integrity of the Internet and the businesses that rely on it; they also threaten the privacy and pocketbooks of all who use the Internet."

The Spanish Guardia Civil arrested three suspected Mariposa Botnet operators in February (ip-192.com reported here and here). The suspected creator of the botnet was now arrested by the Slovenian police. "We are glad to cooperate with the United States; the FBI's assistance is invaluable and represents professional affirmation of our force," said the Slovenian Minister of the Interior Katarina Kresal and Slovenian Criminal Police director General Janko Gorsek in a joint statement. "This case shows that cyber crime issues call for international police cooperation that shouldn’t be hindered by geographical borders. The FBI has demonstrated a high level of collaboration in which our countries were equal partners, which was crucial for the success of the investigation and reducing the threat on a global level. This partnership serves as a solid basis for future cooperation."

Over the past two to three years, the creator of the Butterfly botnet did sell the virus to cybercriminals worldwide, allowing them to infect thousands of computers and create the Mariposa botnet.