September 5th, 2005, 08:12 PM
Symantec Anti-Virus LiveUpdate Credentials Disclosure
The security issue is caused due to the client storing the LiveUpdate Server login name and password to a local log file in clear text. This can be exploited by malicious users to disclose the configured login name and password for accessing the LiveUpdate packages.
Although this vulnerability is classified as : Less Critical. I have posted it so that Admin's get a head's up.
Product version's affected : Symantec AntiVirus Corporate Edition 9.x
Symantec Windows LiveUpdate 2.x
Solution : Update to version 2.7.38.
Original Advisory :
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
September 5th, 2005, 08:22 PM
Yet another update to download...yeah! Thanks for the heads up. Maybe I'll just upgrade to Corporate 10.
Windows 9x: n.
A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
September 6th, 2005, 03:46 AM
There is a work around for this, but I have not been able to find that clear text passwords are stored.
to SYN, or not to SYN. That is the question. -Shakespeare?
September 6th, 2005, 06:35 AM
I don't understand that how such big security companies make such stupid mistakes.
www.securityfocus.com is run by Symantec
www.@stake.com has been acquired by Symantec.
God knows what the hell are they upto.