Tech
Glitch fixed in Symantec Corporate AntiVirus
Symantec releases a fix for a weakness in the way its corporate antivirus software stores log-in credentials.
Symantec late on Friday released an update for AntiVirus Corporate Edition 9.0 to fix a security weakness that was disclosed earlier last week. The unpatched software stores usernames and passwords in plain text in a log file when connecting to an internal LiveUpdate server for updates. One scenario in which these credentials could be abused is by a local attacker to gain higher privileges, according to a post on the Bugtraq mailing list last week.
Symantec has now updated its LiveUpdate client to address the problem, according to a security advisory. Still, the company recommends that LiveUpdate user accounts are unique for accessing LiveUpdate only, and have no other system access. Symantec ranks the password problem "medium" risk.