Re: Trivial Bug in Symantec Security Products

[Thomas Sutpen <sutpen () gmail com>]

Sil!!  Nobody else on this list seems to have enough courtesy to say
anything publicly (mainly because this list is populated in majority
by juvenile retards), so I will:

It's good to see your name bouncing around in the industry again.

TS

On Wed, 29 Dec 2004 17:56:28 -0500 (EST), J. Oquendo
<sil () infiltrated net> wrote:
> Impact:  Bug in Symantec products allows for free software updates
> Version(s):
>
> Norton AntiVirus for Windows 9x/NT/Me/2000/XP
> Symantec Web Security
> Symantec AntiVirus Scan Engine
> Norton AntiVirus for Gateways
> Symantec AntiVirus for Gateways
> Norton AntiVirus Corporate Edition
> Symantec AntiVirus Corporate Edition
> Norton AntiVirus for Exchange
>
> I. BACKGROUND
> Symantec whose stock price of $27.38 at market close on December 15, 2004,
> valuing the company at approximately $13.5 billion (according to their
> home page) has a simple little glitch in the above mentioned products,
> which would allow any user who has an expired product to automatically
> continue updating without purchasing the software after the program has
> expired. Vendor notified on 12/06/2004
>
> II. DESCRIPTION
> Any user with an expired copy of the versions listed above can continue to
> receive updates at no extra cost. While not a true to form "bug", the
> silly workaround can hinder Symantec's future market valuations if users
> simply allowed their products to expire, downloaded any "Intelligent
> Updater" definitions via
> http://securityresponse.symantec.com/avcenter/defs.download.html and
> installed them with the clock turned back to a pre-expiration date.
>
> Somehow, Symantec engineers have not implemented a mechanism to disallow a
> user from installing the patches via changing the date on their computer
> back to when the original program was installed and then running the
> "Intelligent Updater."  E.g.: User installs a 60 day trial version with
> free updates that expires on Jan, 01, 2005. User goes to install an update
> in July 2005 and gets a subscription error. User changes the date back to
> some time before the product expired and installs the new definition
> without problems. User changes date back forward without problems.
>
> While not of the "Bugtraq" typical bug, Symantec engineers should try to
> resolve this to avoid any future revenue loss.
>
> III SOLUTION
> Symantec could rewrite their updates to include a timer, or check via
> atomic clock. Other options include informing their customers not to
> commit the evil act of modifying the dates on their computers.
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> GPG Key ID 0x51F9D78D
> Fingerprint 2A48 BA18 1851 4C99
>
> CA22 0619 DB63 F2F7 51F9 D78D
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D
>
> sil @ politrix . org    http://www.politrix.org
> sil @ infiltrated . net http://www.infiltrated.net
>
> "How can we account for our present situation unless we
> believe that men high in this government are concerting
> to deliver us to disaster?" Joseph McCarthy "America's
> Retreat from Victory"
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html