Symantec Corp. has confirmed that confidential data related to its endpoint protection product suite and corporate antivirus software was inadvertently exposed to the public this week. The Mountain View, Calif.-based security giant is investigating the incident, but is advising customers that the leak poses little threat to the security and integrity of Symantec products.
I would not panic at this point given how old this is; it’s really old code.
John Kindervag, principal analyst, Forrester Research Inc.
A local chapter of Anonymous from India claimed in the PasteBin online forum that they possessed source code for Symantec’s Norton Antivirus solutions. Initially the group possessed documentation from 1999 describing how Norton Antivirus worked. In a follow up post, the group shared source code samples that turned out to be Symantec’s enterprise endpoint protection software.
Cris Paden, senior manager of Symantec corporate communications, told SearchSecurity.com Friday that the Symantec source code theft was unrelated to Norton Antivirus. Symantec researchers determined that the code relates to two outdated enterprise products: Symantec Endpoint Protection (SEP) 11 and Symantec Antivirus Corporate Edition (SAV) 10.2. SAV 10.2 is still serviced by Symantec, but it has been discontinued, Paden said, while SEP 11 has since evolved into SEP 12.0 and 12.1.
“Contrary to media headlines, Norton Antivirus code was not accessed, stolen or exposed,” Paden said. “We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”
Symantec determined that its systems had not been breached. The source code originated from a third-party, he said. The company recommends that customers keep their product versions updated to “ensure protection against any new threats that might materialize as a result of this incident.”
Paden said the vendor shares its source code on a case-by-case basis with governments for compliance and software assurance purposes. "We are compelled by law in some cases by governments to share our code in order to sell our products in that given country," Paden said. "We engage in a lengthy vetting process involving our Legal departments, our CTO's office, our IT departments and our government relations team."
Security experts said major software vendors such as Symantec commonly provide portions of their products' source code to partners in order to enable them to create complimentary products and features. Enterprise customers and government agencies also often request the source code of a product to conduct a vulnerability analysis, though it is not always granted by the software maker, said Scott Crawford, security and risk management analyst at Boulder, Colo.-based consultancy Enterprise Management Associates.
The most sensitive parts of the source code is likely encrypted and safely guarded by the antivirus vendor, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc. Kindervag urged Symantec customers to remain calm.
“I would not panic at this point given how old this is; it’s really old code,” Kindervag said. “It appears to be something Symantec may have been working on with IBM so this may not mean anything at all to customers.”
In an instance where the actual source code was publicly released, hackers could learn new ways to evade detection or figure out how to exploit vulnerabilities in the software to gain access to sensitive systems, Kindervag said. The source code would have to be for current products, he added.
This is not the first time a major enterprise software vendor has had to deal with an embarrassing source code leak. Microsoft conducted an internal security assessment when its Windows 2000 and NT 4.0 source code leaked onto the Internet in 2004. Microsoft later released a statement acknowledging the incident. In the same year, networking giant Cisco Systems Inc. investigated the possible breach of its router operating system source code.
Mike Lloyd, CTO of Santa Clara, Calif.-based vendor RedSeal Networks, said the issue is a wake-up call that a company’s partners and strategic customers may not be meeting minimum security standards. It’s difficult for organizations to “understand the risk of a network you cannot see,” Lloyd said in a statement.
“As we steadily lose control of our own critical assets, and as attackers increasingly automate their attacks, we will need more baselines like this so that one organization can show another that it is well run,” Lloyd said.