Symantec source code theft: Current products are safe, vendor says


Symantec source code theft: Current products are safe, vendor says

Robert Westervelt

Symantec is confirming that some confidential data related to its endpoint protection suite and corporate antivirus software has been made public on a website this week. The Mountain View, Calif.-based security giant is advising customers the leak poses no serious threat to current Symantec products.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

I would not panic at this point given how old this is; it’s really old code.

John Kindervag, principal analyst, Forrester Research Inc.

A hacking group based in India has threatened to publicly leak source code prompting Symantec to determine the seriousness of the threat. The group posted data on Wednesday on the Pastebin website, claiming it was related to the Norton antivirus source code. The information posted on PasteBin has been removed.

Cris Paden, senior manager of Symantec corporate communications, told Friday that the Symantec source code theft was unrelated to Norton Antivirus. Symantec researchers determined the code relates to two outdated enterprise products: Symantec Endpoint Protection (SEP) 11 and Symantec Antivirus Corporate Edition (SAV) 10.2. SAV 10.2 is still serviced by Symantec, but it has been discontinued, Paden said, while SEP 11 has since evolved into SEP 12.0 and 12.1.

“Contrary to media headlines, Norton Antivirus code was not accessed, stolen or exposed,” Paden said. “We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”

Paden said Symantec recommends users keep their product versions updated to “ensure protection against any new threats that might materialize as a result of this incident.”

Security experts said Symantec and other major software vendors release parts of their source code to enable close partners create complimentary products and features. Enterprise customers and government agencies also often request the source code of a product to conduct a vulnerability analysis, though it is not always granted by the software maker, said Scott Crawford, security and risk management analyst at Boulder, Colo.-based Enterprise Management Associates.  

The most sensitive parts of the source code is likely encrypted and safely guarded by the antivirus vendor, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc. Kindervag urged Symantec customers to remain calm.

“I would not panic at this point given how old this is; it’s really old code,” Kindervag said. “It appears to be something Symantec may have been working on with IBM, so this may not mean anything at all to customers.”

In an instance where the actual source code was publicly released, hackers could learn new ways to evade detection or figure out how to exploit vulnerabilities in the software to gain access to sensitive systems, Kindervag said.  The source code would have to be for current products, he said.

Other companies have had to deal with embarrassing source code leaks. Microsoft conducted an internal security assessment  when its Windows 2000 and NT 4.0 source code leaked onto the Internet in 2004. Microsoft later released a statement acknowledging the incident. In the same year, Cisco Systems investigated the possible breach of its router operating system source code.

Mike Lloyd, CTO of RedSeal Networks, said the issue is a wakeup call that a company’s partners and strategic customers may not be meeting minimum security standards. It’s difficult for organizations to “understand the risk of a network you cannot see,” Lloyd said in a statement.

“As we steadily lose control of our own critical assets, and as attackers increasingly automate their attacks, we will need more baselines like this so that one organization can show another that it is well run,” he said.