Symantec issues patch for corporate antivirus software
Flaw in Anti Virus Corporate Edition exposes server log-in name and administrator password
Follow @infoworldSymantec has issued a patch for a vulnerability in its corporate antivirus software that could allow an unauthorized person to access a company's servers.
The flaw, in Version 9 of its Anti Virus Corporate Edition product, exposes the server log-in name and password used by the administrator who authorizes updates to the software, Symantec said.
The Anti Virus product comes with a LiveUpdate client that can be set to check for product updates. After the client receives the updates from the LiveUpdate server, information about the transaction is stored in a local log file. The LiveUpdate server log-in and password are included in that log file as clear text, Symantec said.
The file is accessible to all users on the system, meaning workers across the enterprise could view the log-in name and password. The danger is most apparent if that same log-in and password are used for accessing other, more critical corporate systems.
The problem was first identified last week in a posting on Bugtraq, a mailing list that tracks software security issues. Symantec issued the patch to fix the problem on Friday. It is available from http://securityresponse.symantec.com/avcenter/security/Content/2005.09.0...
Symantec advised customers to create a unique login and password for accessing LiveUpdate services, rather than using the same administrator login that provides broader system access.
As of Friday, Symantec was unaware of any users that had been affected by the vulnerability, which it rated medium risk.
