lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0412291754080.9648@kungfunix.net>
From: sil at infiltrated.net (J. Oquendo)
Subject: Trivial Bug in Symantec Security Products


Impact:  Bug in Symantec products allows for free software updates
Version(s):

Norton AntiVirus for Windows 9x/NT/Me/2000/XP
Symantec Web Security
Symantec AntiVirus Scan Engine
Norton AntiVirus for Gateways
Symantec AntiVirus for Gateways
Norton AntiVirus Corporate Edition
Symantec AntiVirus Corporate Edition
Norton AntiVirus for Exchange

I. BACKGROUND
Symantec whose stock price of $27.38 at market close on December 15, 2004,
valuing the company at approximately $13.5 billion (according to their
home page) has a simple little glitch in the above mentioned products,
which would allow any user who has an expired product to automatically
continue updating without purchasing the software after the program has
expired. Vendor notified on 12/06/2004

II. DESCRIPTION
Any user with an expired copy of the versions listed above can continue to
receive updates at no extra cost. While not a true to form "bug", the
silly workaround can hinder Symantec's future market valuations if users
simply allowed their products to expire, downloaded any "Intelligent
Updater" definitions via
http://securityresponse.symantec.com/avcenter/defs.download.html and
installed them with the clock turned back to a pre-expiration date.

Somehow, Symantec engineers have not implemented a mechanism to disallow a
user from installing the patches via changing the date on their computer
back to when the original program was installed and then running the
"Intelligent Updater."  E.g.: User installs a 60 day trial version with
free updates that expires on Jan, 01, 2005. User goes to install an update
in July 2005 and gets a subscription error. User changes the date back to
some time before the product expired and installs the new definition
without problems. User changes date back forward without problems.

While not of the "Bugtraq" typical bug, Symantec engineers should try to
resolve this to avoid any future revenue loss.

III SOLUTION
Symantec could rewrite their updates to include a timer, or check via
atomic clock. Other options include informing their customers not to
commit the evil act of modifying the dates on their computers.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ