Re: "Javier Sanchez" jsanchez157 () hotmail com 02/25/2002 11:14 AM, Symantec LiveUpdate

["Sym Security" <symsecurity () symantec com>]

Re:  "Javier Sanchez" jsanchez157 () hotmail com 02/25/2002 11:14 AM, Symantec
LiveUpdate

Norton Antivirus Corporate Edition includes LiveUpdate.  LiveUpdate stores
Username and Password information in cleartext in the registry.  Depending
on your implementation, you may not need LiveUpdate installed at all on
your
clients.

I brought this to Symantec's attention months ago.  Since then a new
version
of LiveUpdate has been released.  The information is still not encrypted.

Any user with the client installed can run "regedit" search for "password"
and viola!

Here's a "fix":
Paste the following into a .reg file (i.e. nav.reg) and push it out to your
clients via login script or whatever:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\LiveUpdateSource]
"Login"=-
"Password"=-

Symantec Response:
Symantec's Norton AntiVirus Corporate Edition provides the administrator
the ability to push LiveUpdate definitions out to individual clients or to
configure each client with a read-only username and password access to an
internal local LiveUpdate server to download local updates.  While the
local username and password were stored in the registry in the clear in
LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username and
password by default

Symantec would like to emphasis that in all instances, the username and
password pair is NOT connected with authentication to access Symantec's
LiveUpdate server. The username and password in question is ONLY associated
with the local network internal server.
Symantec is aware of the issue addressed by Mr. Sanchez and it is not a
LiveUpdate issue.  Rather it is an internal server issue when passing the
username and password to the client system that is affecting the password
encryption causing the clear text exposure.  This problem is currently
being addressed and will be available for update as soon as it is fully
tested.

Symantec appreciates the concern of Mr. Sanchez and takes the security of
our products very seriously.  We would like to re-emphasize however, that
this read-only username/password is for internal server access only.
Additionally, if company policy is such that all updates are controlled at
a centralized server and pushed out to client systems, the issue in
question does not exist.

Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec product names and Sym Security are Registered Trademarks
of Symantec Corp. and/or affiliated companies in the United States and
other countries. All other registered and unregistered trademarks
represented in this document are the sole property of their respective
companies