Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Vulnerability with Symantec LiveUpdate 2.7 Build 3
Search Topic:
Uniqs:
288		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Unofficial third party XP Service Pack »
« Ad Aware Ref defs  
AuthorAll Replies


DonnaB
Premium
join:2003-05-07
malaysia

Vulnerability with Symantec LiveUpdate 2.7 Build 3

SYM05-013
September 02, 2005
Local LiveUpdate server username / password information revealed by client
Discovery Date: August 31, 2005 - Bugtraq posting (Vulnerability in Symantec Anti Virus Corporate Edition v9.x)

Revision History: None

Risk Impact: Medium

Remote Access Yes
Local Access Yes
Authentication Required Yes
Exploit publicly available No

Details
LiveUpdate server login name and password are written to a local log file in clear text. This happens when the LiveUpdate client checks for updates from the server. This is only an issue when a local LiveUpdate server is used with a login name and password.

The login name and password belong to the account configured by the LiveUpdate server administrator for accessing LiveUpdate packages. Symantec strongly recommends that this user account be unique for accessing LiveUpdate packages only, and have no other system access. The system administrator account should never be used for this purpose.

Note: As stated in the LiveUpdate download readme file: LiveUpdate version 2.7.x does not support the LiveUpdate Administration Utility, Version 1.5.x. If you are running a system as a Central LiveUpdate server please go to »www.symantec.com/techsupp/files/lu/lu.html and download Version 1.5.4.15 update for the LiveUpdate Administration Utility.

Affected Products

Product Version Build Solution
LiveUpdate Client 2.7 34 LiveUpdate Client Update

Non-Affected Products

Product Version Build
LiveUpdate Client 2.5 All
LiveUpdate Client 2.6 All

Symantec Response
An update for the LiveUpdate 2.7 client has been released and can be downloaded from the following location:

»www.symantec.com/techsupp/files/lu/lu.html

Symantec is not aware of any active attempts against or organizations impacted by this issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats

»securityresponse.symantec.com/av···.02.html
--
Microsoft MVP-Windows Security
Member of ASAP
Calendar of Updates
SecurityFlash
to forum · permalink · · 2005-09-03 05:34:22 · Reply to this


NICK ADSL UK
Premium,MVM
join:2004-02-22		 Thank you Donna
to forum · permalink · · 2005-09-03 06:11:34 · Reply to this


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable

2 edits		 reply to DonnaB

after updating
Thank you Donna !!!

Note: The affected version is
v2.7.34

v2.7.38.0 is the updated version released 02 Sept
[see screenshot after update]

to forum · permalink · · 2005-09-03 07:31:53 · Reply to this


DonnaB
Premium
join:2003-05-07
malaysia		reply to DonnaB
You're welcome Nick and amysheehan.

BTW, a reboot is required after installing the new version of LU.
to forum · permalink · · 2005-09-03 14:03:33 · Reply to this
Forums » Up and Running » Security » SecurityUnofficial third party XP Service Pack »
« Ad Aware Ref defs  

Sunday, 29-Nov 15:51:14 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [124] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [80] TiVo Sees Record Customer Losses
· [78] Verizon CEO: Hulu Will Be Dead Soon
· [77] Weekend Open Thread
· [69] In-Flight Internet Headed For Bumpy Landing?
· [63] Thanksgiving Open Thread
· [41] ICANN Slams DNS Redirection
Most people now reading
· Is Easynews down? [Filesharing Software]
· Are GPS's better today? [General Questions]
· Grey Cup on the Web? [Canadian Chat]
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· [NFL] Week 12 Games Thread [Sports Chat]
· [Snow Leopard] NFS Mounts - no more Directory Utility [All Things Macintosh]
· [ PVP] Druid pvp where to start? [World of Warcraft]
· So where do we level weapon skill now? [World of Warcraft]
· [Newsgroups] Newzleech down? [Filesharing Software]