Source code for Symantec Endpoint Protection 11 and Symantec Antivirus 10 has been stolen. According to speculation in news reports, the source code had been provided to the Indian government and was compromised from their servers. Security companies often provide source code to be able to sell software in a country. I suppose they are worried about NSA backdoors. This hack highlights the problems with loaning out your source code.
Symantec downplayed the severity of the report saying SAV 10 is no longer sold (end of support in July 2012) and SEP11 is 4-5 years old.
Even if the source code was a from a earlier version, I am confident the source code doesn’t change that much in a major build. Symantec Endpoint Protection 11 may have initially been released 4 or 5 years ago (can that be right?) but it is still the main version in use today. Its successor SEP 12.1 was only released in July and most people would wait before deployment.
I was a bit surprised by some of the reactions in to this disclosure. Rob Rachweld of Imperva says there is “not much hackers could learn from it” because they already analyze antimalware products. The Atlantic Wire quotes Bruce Schneier as saying it isn’t a big deal.
I think it is a big deal. Antivirus products do have vulnerabilities. Antivirus products are widely deployed and often it is possible to find out what a particular company is using. Isn’t code analysis easier than trying to blackbox test or trying to reverse engineer the code? Depending on how diligent Symantec has been, I think this could lead to more security updates for Endpoint Protection.
Chris Parden, Symantec spokesmen says the are developing a remediation process for enterprise customers still using affected products.