RE: Symantec LiveUpdate

[Steven Vallarian <svallarian () csa1 com>]

In the same key, there is a REG_DWORD called    PasswordIsEncrypted, that is
set to 0. 

I figure that this key is used to tell Liveupdate to decrypt the encrypted
password in the password key, but I haven't been able to find out how to get
LiveUpdate to encrypt the password when it sets it.

Steven V>


> ----------
> From:         Javier Sanchez[SMTP:jsanchez157 () hotmail com]
> Sent:         Monday, February 25, 2002 11:14 AM
> To:   bugtraq () securityfocus com
> Subject:      Symantec LiveUpdate
>
> Norton Antivirus Corporate Edition includes LiveUpdate.  LiveUpdate stores
>
> Username and Password information in cleartext in the registry.  Depending
>
> on your implementation, you may not need LiveUpdate installed at all on
> your 
> clients.
>
> I brought this to Symantec's attention months ago.  Since then a new
> version 
> of LiveUpdate has been released.  The information is still not encrypted.
>
> Any user with the client installed can run "regedit" search for "password"
>
> and viola!
>
> Here's a "fix":
> Paste the following into a .reg file (i.e. nav.reg) and push it out to
> your 
> clients via login script or whatever:
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Li
> veUpdateSource]
> "Login"=-
> "Password"=-
>
>
>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com