Symantec glitch could expose user names, passwords

Updated Saturday, Sept. 3, after Symantec issued a fix for the vulnerability.

Symantec has fixed a security hole in AntiVirus Corporate Edition that could be exploited to access user names and passwords stored on a company network.

"Symantec is not aware of any active attempts against or organizations impacted by this issue," the Cupertino, Calif.-based antivirus giant said in an advisory. To fix the problem, an update for the LiveUpdate 2.7 client has been released for download.

The update arrived hours after Silver Spring, Md.-based Security Tracker issued an advisory on the flaw, saying versions 9.0.1.x and 9.0.4.x were affected.

"When the system is configured to use an internal LiveUpdate server [instead of Symantec's LiveUpdate server], the system will log server information to a local file," the advisory said. "This information includes the username and password required to access the LiveUpdate server. The log file is 'C:Documents and SettingsAll UsersApplication DataSymantecLiveUpdateLog.Liveupdate.'" @13319

According to Christopher Jordan, CEO of McLean, Va.-based Endeavor Security and CTO of Endeavor Systems, Inc., the key problem is that the password is stored in the "All Users" directory. "This means that if this machine is shared, other users to that system can view the file and learn their co-workers passwords," he said. "This version [of the product] allows for the company to run their own update server. It is used to reduce external bandwidth needs and for stand-alone networks."

Before Symantec had issued its update, Jordan said the only real workaround would be for IT departments to set Symantec Update to only go to the Symantec Server, where it doesn't have to log in the credentials it must present to other servers.

Jordan doesn't see this as a vulnerability that would be widely exploited due to its limited reach. But it could be a problem for government networks, since passwords seem to be stored in the clear, or unencrypted, under the vulnerable set-up. Under the U.S. government's FIPS-112 standard, organizations cannot transmit or store passwords in the clear. Therefore, "The means by which Symantec stores the password is non-compliant."

That said, he doubts Internet-connected government networks are set up in a way that would expose them to this flaw.

Arthur Freyman, a Los Angeles-based IT professional who discovered the vulnerability, shared Jordan's assessment. In an e-mail exchange, he said serious exploitation of the flaw appears "somewhat unlikely" at this point because, "a very particular situation would have to exist in order for this to be valuable for an intruder."

Symantec recently addressed another flaw affecting its AntiVirus Corporate Edition and Client Security products. Users were advised to upgrade to MR3 or later through the Platinum Support Web Site or FileConnect to guard against a vulnerability attackers could exploit to get elevated privileges.

The problem was that in vulnerable products, the HTML help functionality would assume permissions from the Symantec AntiVirus Corporate Edition privileged access, rather than retaining the more restrictive user privileges assigned to a non-privileged logged-in user.

"By manipulating the GUI interface the non-privileged local user gains the ability to browse all system files or execute local system applications and programs with local system privilege," Symantec said of that flaw.