Symantec has issued a patch for a vulnerability in its corporate antivirus software that could allow an unauthorized person to access a company's servers. The flaw, in version 9 of its AntiVirus Corporate Edition product, exposes the server login name and password used by the administrator who authorizes updates to the software, Symantec says.
The AntiVirus product comes with a LiveUpdate client that can be set to check for product updates. After the client receives the updates from the LiveUpdate server, information about the transaction is stored in a local log file.
The LiveUpdate server login and password are included in that log file as clear text, Symantec says. The file is accessible to all users on the system, meaning workers across the enterprise could view the login name and password. The danger is most apparent if that same login and password are used for accessing other, more critical corporate systems.
News source: PCWorld.com
The AntiVirus product comes with a LiveUpdate client that can be set to check for product updates. After the client receives the updates from the LiveUpdate server, information about the transaction is stored in a local log file.
The LiveUpdate server login and password are included in that log file as clear text, Symantec says. The file is accessible to all users on the system, meaning workers across the enterprise could view the login name and password. The danger is most apparent if that same login and password are used for accessing other, more critical corporate systems.
News source: PCWorld.com
News story updated and re-sourced to the author.
Please note that Something Awful is filtered at Neowin for it's hot-linking retaliation practices. This is to stop our members directly hot-linking content from that site.
Steven Parker @ 15:44 CET
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.