[24406] in bugtraq
Symantec LiveUpdate
daemon@ATHENA.MIT.EDU (Javier Sanchez)
Mon Feb 25 18:29:14 2002
From: "Javier Sanchez" <jsanchez157@hotmail.com>
To: bugtraq@securityfocus.com
Date: Mon, 25 Feb 2002 12:14:50 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F225mylmdPeMOoFqAnD00014d81@hotmail.com>
Norton Antivirus Corporate Edition includes LiveUpdate. LiveUpdate stores
Username and Password information in cleartext in the registry. Depending
on your implementation, you may not need LiveUpdate installed at all on your
clients.
I brought this to Symantec's attention months ago. Since then a new version
of LiveUpdate has been released. The information is still not encrypted.
Any user with the client installed can run "regedit" search for "password"
and viola!
Here's a "fix":
Paste the following into a .reg file (i.e. nav.reg) and push it out to your
clients via login script or whatever:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\LiveUpdateSource]
"Login"=-
"Password"=-
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
