Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Symantec LiveUpdate
From: Steven Vallarian <svallarian () csa1 com>
Date: Wed, 27 Feb 2002 09:52:37 -0600

In the same key, there is a REG_DWORD called    PasswordIsEncrypted, that is
set to 0. 

I figure that this key is used to tell Liveupdate to decrypt the encrypted
password in the password key, but I haven't been able to find out how to get
LiveUpdate to encrypt the password when it sets it.

Steven V>

From:         Javier Sanchez[SMTP:jsanchez157 () hotmail com]
Sent:         Monday, February 25, 2002 11:14 AM
To:   bugtraq () securityfocus com
Subject:      Symantec LiveUpdate

Norton Antivirus Corporate Edition includes LiveUpdate.  LiveUpdate stores

Username and Password information in cleartext in the registry.  Depending

on your implementation, you may not need LiveUpdate installed at all on

I brought this to Symantec's attention months ago.  Since then a new
of LiveUpdate has been released.  The information is still not encrypted.

Any user with the client installed can run "regedit" search for "password"

and viola!

Here's a "fix":
Paste the following into a .reg file (i.e. nav.reg) and push it out to
clients via login script or whatever:


Chat with friends online, try MSN Messenger: http://messenger.msn.com

  By Date           By Thread  

Current thread:
  • RE: Symantec LiveUpdate Peter Miller (Mar 01)
    • <Possible follow-ups>
    • RE: Symantec LiveUpdate Steven Vallarian (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]