Symantec Corp. has confirmed that confidential data concerning its endpoint protection product suite and company antivirus software was inadvertently exposed to the general public this week. The Mountain View, Calif.-based security giant is investigating the incident, but is advising customers that the leak poses little threat to the protection and integrity of Symantec products.
I wouldn't panic at this point given how old it truly is; it's really old code.
John Kindervag, principal analyst, Forrester Research Inc.
A local chapter of Anonymous from India claimed within the PasteBin online forum that they possessed source code for Symantec's Norton Antivirus solutions. Initially the crowd possessed documentation from 1999 describing how Norton Antivirus worked. In a follow up post, the crowd shared source code samples that turned out to be Symantec's enterprise endpoint protection software.
Cris Paden, senior manager of Symantec corporate communications, told SearchSecurity.com Friday that the Symantec source code theft was unrelated to Norton Antivirus. Symantec researchers determined that the code pertains to two outdated enterprise products: Symantec Endpoint Protection (SEP) 11 and Symantec Antivirus Corporate Edition (SAV) 10.2. SAV 10.2 is still serviced by Symantec, but it has been discontinued, Paden said, while Sept. 11 has since evolved into SEP 12.0 and 12.1.
“Contrary to media headlines, Norton Antivirus code was not accessed, stolen or exposed,†Paden said. “We are still gathering information at the details and aren't capable of provide specifics at the third party involved.â€
Symantec determined that its systems had not been breached. The source code originated from a third-party, he said. The corporate recommends that buyers keep their product versions updated to “ensure protection against any new threats that will materialize as a result this incident.â€
Paden said the seller shares its source code on a case-by-case basis with governments for compliance and software assurance purposes. "We're compelled by law in certain cases by governments to share our code as a way to sell our products in that given country," Paden said. "We engage in a lengthy vetting process involving our Legal departments, our CTO's office, our IT departments and our government relations team." Â
Security experts said major software vendors resembling Symantec commonly provide portions in their products' source code to partners a good way to enable them to create complimentary products and features. Enterprise customers and government agencies also often request the source code of a product to conduct a vulnerability analysis, though it isn't always granted by the software maker, said Scott Crawford, security and risk management analyst at Boulder, Colo.-based consultancy Enterprise Management Associates. Â
The most sensitive parts of the source code is probably going encrypted and safely guarded by the antivirus vendor, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc. Kindervag urged Symantec customers to stay calm.
“I wouldn't panic at this point given how old that's; it's really old code,†Kindervag said. “It seems to be something Symantec might have been engaged on with IBM so this would possibly not mean anything in any respect to customers.â€
In an instance where the particular source code was publicly released, hackers could learn new ways to evade detection or determine a way to exploit vulnerabilities within the software to achieve access to sensitive systems, Kindervag said. The source code must be for current products, he added.
This isn't the first time a big enterprise software vendor has needed to tackle an embarrassing source code leak. Microsoft conducted an internal security assessment when its Windows 2000 and NT 4.0 source code leaked onto the net in 2004. Microsoft later released an announcement acknowledging the incident. Inside the same year, networking giant Cisco Systems Inc. investigated the potential breach of its router operating system source code.
Mike Lloyd, CTO of Santa Clara, Calif.-based vendor RedSeal Networks, said the problem is a wake-up call that a company's partners and strategic customers might not be meeting minimum security standards. It's difficult for organizations to “understand the chance of a network you can't see,†Lloyd said in an announcement.
“As we steadily lose control of our own critical assets, and as attackers increasingly automate their attacks, we can need more baselines like this in order that one organization can show another that it's miles well run,†Lloyd said.
Nessun commento:
Posta un commento
Comments links could be nofollow free