Despite warnings from security software maker Symantec not to connect its pcAnywhere remote-access software to the Internet, more than 140,000 computers appear to remain configured to allow direct connections from the Internet, thereby putting them at risk.
Over the weekend, vulnerability management firm Rapid7 scanned for exposed systems running pcAnywhere and found that tens of thousands of installations could likely be attacked through unpatched vulnerabilities in the software because they directly communicate with the Internet. Perhaps of greatest worry is that a small but significant fraction of the systems appear to be dedicated, point-of-sale computers, where pcAnywhere is used for remote management of the device, says HD Moore, Rapid7's chief security officer.
"It is clear that pcAnywhere is still widely used in specific niches, especially point-of-sale," Moore says, adding that by connecting the software directly to the Internet, "organizations are placing themselves at risk of remote compromise or remote password theft."
Lines of attack
The ability to directly access a computer running pcAnywhere from the Internet, paired with a vulnerability of sufficient severity, could allow anyone to compromise a system running the remote-access software. A user can directly connect to a computer from the Internet if there is not a firewall protecting the system, or if the firewall lets traffic destined for certain ports pass through unhindered. The systems found by Rapid7 allowed requests directed to the default pcAnywhere ports -- 5631 and 5632 -- to connect to the host computer.
"Most people worry about whether someone can get into their system directly, and based on [recent vulnerabilities] you don't have to be the most hardcore researcher to ... exploit these systems," Moore says.
Last week, HP TippingPoint's Zero Day Initiative reported one such vulnerability that could be used to take control of any at-risk pcAnywhere installation connected to the Internet.
pcAnywhere's security came under scrutiny this month after Symantec acknowledged that the source code for the product had been stolen in 2006. While the theft of the source code itself did not endanger users, would-be attackers who analyze the code will likely find vulnerabilities. When Symantec took another look at the source code following the theft, for example, the company found vulnerabilities that could allow attackers to eavesdrop on communications, grab the secure keys, and then remotely control the computer -- if the attackers could find a way to intercept communications.
Symantec published patches last week for the issues the company found during its source code analysis as well as the more serious vulnerability reported by the Zero Day Initiative. On Monday, the company also offered a free upgrade to all pcAnywhere customers, stressing that users who update their software and follow its security advice were safe.
Open to mischief
Yet Moore and other security researchers argue that it's unlikely that the most vulnerable users will quickly patch their systems. Allowing direct access from the Internet to pcAnywhere suggests that the owner of the computer may not have the technical experience to know to patch regularly.