Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Trivial Bug in Symantec Security Products
From: Thomas Sutpen <sutpen () gmail com>
Date: Fri, 31 Dec 2004 01:32:43 -0700

Sil!!  Nobody else on this list seems to have enough courtesy to say
anything publicly (mainly because this list is populated in majority
by juvenile retards), so I will:

It's good to see your name bouncing around in the industry again.

TS

On Wed, 29 Dec 2004 17:56:28 -0500 (EST), J. Oquendo
<sil () infiltrated net> wrote:

Impact:  Bug in Symantec products allows for free software updates
Version(s):

Norton AntiVirus for Windows 9x/NT/Me/2000/XP
Symantec Web Security
Symantec AntiVirus Scan Engine
Norton AntiVirus for Gateways
Symantec AntiVirus for Gateways
Norton AntiVirus Corporate Edition
Symantec AntiVirus Corporate Edition
Norton AntiVirus for Exchange

I. BACKGROUND
Symantec whose stock price of $27.38 at market close on December 15, 2004,
valuing the company at approximately $13.5 billion (according to their
home page) has a simple little glitch in the above mentioned products,
which would allow any user who has an expired product to automatically
continue updating without purchasing the software after the program has
expired. Vendor notified on 12/06/2004

II. DESCRIPTION
Any user with an expired copy of the versions listed above can continue to
receive updates at no extra cost. While not a true to form "bug", the
silly workaround can hinder Symantec's future market valuations if users
simply allowed their products to expire, downloaded any "Intelligent
Updater" definitions via
http://securityresponse.symantec.com/avcenter/defs.download.html and
installed them with the clock turned back to a pre-expiration date.

Somehow, Symantec engineers have not implemented a mechanism to disallow a
user from installing the patches via changing the date on their computer
back to when the original program was installed and then running the
"Intelligent Updater."  E.g.: User installs a 60 day trial version with
free updates that expires on Jan, 01, 2005. User goes to install an update
in July 2005 and gets a subscription error. User changes the date back to
some time before the product expired and installs the new definition
without problems. User changes date back forward without problems.

While not of the "Bugtraq" typical bug, Symantec engineers should try to
resolve this to avoid any future revenue loss.

III SOLUTION
Symantec could rewrite their updates to include a timer, or check via
atomic clock. Other options include informing their customers not to
commit the evil act of modifying the dates on their computers.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Re: Trivial Bug in Symantec Security Products Thomas Sutpen (Dec 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]