I want to clear up some confusion regarding my PCAnyWhere exploit and address some statements that were made in various publications over the past few days. I wasn’t expecting a simple DOS to get so much attention.. The publications raised some issues regarding the risks associated with releasing (leakeage) of software source, however, these issues are overstated.
First, I found the vulnerability while working on an exploit for ZDI-12-018, which allows for remote code execution and has been already patched by Symantec. In order to do this I had to reverse engineer the communication between the client and server. This required a lot of testing by trial and error and resulted in the crashing of awhost32 service on multiple occasions. The tool that was released in my previous post was simply something I found while doing that work
One of the issues raised in many of the articles covering the release of the exploit are the implications of the leak of the Symantec PCAnywhere source code by Anonymous. These artciles highlighted the fact that the availability of source code gives the researchers an ability to identify zero-day vulnerabilities. This is true, however, researchers have and can identify vulnerabilities without the source code. Authors of these articles will like you to believe that Symantec users are “at risk” because the source is now available and that is really not the case. Typically a software that has its source code available to the public undergoes a much higher degree of scrutiny then a software with closed source code. So will there be more vulnerablities released for the Symantec products as a direct result of source code leak? Probably, but one has to remember the fact that these vulnerabilities were already present in the software. In fact, the end result should be a more secure product that comes by leveraging the resources of the internet community. If anyone believes that closed source software is secure, they should look no further then the large number of Adobe vulnerabilities published over the past 12 months.
Frankly, if I were Symantec I would encourage researchers to review the code and reward them with bug bounties, like those offered by Firefox and others. At this point you can’t un-leak the code so why not leverage this opportunity to improve your code base? Bug bounty programs have proven to be quite successful in proactively identifying vulnerabilities…just ask Google..