Symantec Anti-Virus LiveUpdate Credentials Disclosure

***ByTeWrangler*** · September 5th, 2005, 08:12 PM

Greeting's

The security issue is caused due to the client storing the LiveUpdate Server login name and password to a local log file in clear text. This can be exploited by malicious users to disclose the configured login name and password for accessing the LiveUpdate packages.

Although this vulnerability is classified as : Less Critical. I have posted it so that Admin's get a head's up.

Product version's affected : Symantec AntiVirus Corporate Edition 9.x

Symantec Windows LiveUpdate 2.x

Solution : Update to version 2.7.38.

Original Advisory :

http://securityresponse.symantec.com...005.09.02.html

**576869746568617** · September 5th, 2005, 08:22 PM

Yet another update to download...yeah! Thanks for the heads up. Maybe I'll just upgrade to Corporate 10.

**cashmoney** · September 6th, 2005, 03:46 AM

There is a work around for this, but I have not been able to find that clear text passwords are stored.

**warl0ck7** · September 6th, 2005, 06:35 AM

I don't understand that how such big security companies make such stupid mistakes.

www.securityfocus.com is run by Symantec
www.@stake.com has been acquired by Symantec.

God knows what the hell are they upto.

Thread: Symantec Anti-Virus LiveUpdate Credentials Disclosure

Thread Tools

Display

Symantec Anti-Virus LiveUpdate Credentials Disclosure

Posting Permissions