Full Disclosure mailing list archives
Re: Trivial Bug in Symantec Security Products
From: Thomas Sutpen <sutpen () gmail com>
Date: Fri, 31 Dec 2004 01:32:43 -0700
Sil!! Nobody else on this list seems to have enough courtesy to say anything publicly (mainly because this list is populated in majority by juvenile retards), so I will: It's good to see your name bouncing around in the industry again. TS On Wed, 29 Dec 2004 17:56:28 -0500 (EST), J. Oquendo <sil () infiltrated net> wrote:
Impact: Bug in Symantec products allows for free software updates Version(s): Norton AntiVirus for Windows 9x/NT/Me/2000/XP Symantec Web Security Symantec AntiVirus Scan Engine Norton AntiVirus for Gateways Symantec AntiVirus for Gateways Norton AntiVirus Corporate Edition Symantec AntiVirus Corporate Edition Norton AntiVirus for Exchange I. BACKGROUND Symantec whose stock price of $27.38 at market close on December 15, 2004, valuing the company at approximately $13.5 billion (according to their home page) has a simple little glitch in the above mentioned products, which would allow any user who has an expired product to automatically continue updating without purchasing the software after the program has expired. Vendor notified on 12/06/2004 II. DESCRIPTION Any user with an expired copy of the versions listed above can continue to receive updates at no extra cost. While not a true to form "bug", the silly workaround can hinder Symantec's future market valuations if users simply allowed their products to expire, downloaded any "Intelligent Updater" definitions via http://securityresponse.symantec.com/avcenter/defs.download.html and installed them with the clock turned back to a pre-expiration date. Somehow, Symantec engineers have not implemented a mechanism to disallow a user from installing the patches via changing the date on their computer back to when the original program was installed and then running the "Intelligent Updater." E.g.: User installs a 60 day trial version with free updates that expires on Jan, 01, 2005. User goes to install an update in July 2005 and gets a subscription error. User changes the date back to some time before the product expired and installs the new definition without problems. User changes date back forward without problems. While not of the "Bugtraq" typical bug, Symantec engineers should try to resolve this to avoid any future revenue loss. III SOLUTION Symantec could rewrite their updates to include a timer, or check via atomic clock. Other options include informing their customers not to commit the evil act of modifying the dates on their computers. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Trivial Bug in Symantec Security Products Thomas Sutpen (Dec 31)