Shades of pcAnywhere in VMware breach

Symantec and VMware source-code breaches led to the companies assuring customers the leaks posed no threat. But what's the reality?

This week, virtualization software maker VMware acknowledged that a single file posted online came from the source code to its ESX hypervisor. Dating back to at least 2004, the source code may have come from a third party. The virtualization company assured customers that the public posting of the code did not necessarily pose a security issue.

"VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today," Iain Mulholland, director of VMware's Security Response Center, said in a statement. "We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate."

The file was posted to PasteBin earlier in April by a hacker, Hardcore Charlie, who claimed that the data came from a breach of CEIEC, the China National Electronics Import & Export Corp. VMware declined further comment on the potential source of the breach.

Yet, the way the incident has played out so far mirrors the Symantec breach from earlier this year.

In January, the security firm warned customers that a third-party leak had left the source code for three products, including its pcAnywhere remote access software, in the hands of hackers. Symantec originally downplayed the danger of the breach, but subsequently found vulnerabilities that could allow attackers to compromise systems exposed to the Internet. As part of its advice to customers, Symantec urged companies to put systems running pcAnywhere behind a firewall. A subsequent scan of the Internet found that more than 140,000 systems could have been attacked using vulnerabilities in pcAnywhere software.

In Symantec's case, the company eventually tracked the leak to a 2006 breach of its own network, not an attack on a third party. The company also revealed it had negotiated with the hacker, who used the handle YamaTough, as part of a delaying tactic in conjunction with law enforcement.

The lesson for users of VMware's products should be to take initial statements with a hefty helping of salt. Symantec's source code did not come from the breach of a third party, though the hacker claimed it did. It's possible that VMware's code may not have come from a Chinese import and export company, no matter what Hardcore Charlie claims.

The VMware source-code leak will likely have less impact on the company's customers than the leak of Symantec's source code had on its customers. The current version of pcAnywhere was built from the same components as the leaked code. VMware not only has significantly changed its code base in the last eight years, but is also actively pushing users to a slimmed-down version of its hypervisor, ESXi.

At least one security watcher argues that enterprises need to follow the issue closely. Eric Chiu, president of Hytrust, argues that the firms are so reliant on virtualization that the leak poses some significant risks.

"The big thing is that is highlights how important it is to secure your virtual infrastructure," he says.

This article, "Shades of pcAnywhere in VMware breach," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.