| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d4322ab804123100323d3d529d@mail.gmail.com> From: sutpen at gmail.com (Thomas Sutpen) Subject: Trivial Bug in Symantec Security Products Sil!! Nobody else on this list seems to have enough courtesy to say anything publicly (mainly because this list is populated in majority by juvenile retards), so I will: It's good to see your name bouncing around in the industry again. TS On Wed, 29 Dec 2004 17:56:28 -0500 (EST), J. Oquendo <sil@...iltrated.net> wrote: > > Impact: Bug in Symantec products allows for free software updates > Version(s): > > Norton AntiVirus for Windows 9x/NT/Me/2000/XP > Symantec Web Security > Symantec AntiVirus Scan Engine > Norton AntiVirus for Gateways > Symantec AntiVirus for Gateways > Norton AntiVirus Corporate Edition > Symantec AntiVirus Corporate Edition > Norton AntiVirus for Exchange > > I. BACKGROUND > Symantec whose stock price of $27.38 at market close on December 15, 2004, > valuing the company at approximately $13.5 billion (according to their > home page) has a simple little glitch in the above mentioned products, > which would allow any user who has an expired product to automatically > continue updating without purchasing the software after the program has > expired. Vendor notified on 12/06/2004 > > II. DESCRIPTION > Any user with an expired copy of the versions listed above can continue to > receive updates at no extra cost. While not a true to form "bug", the > silly workaround can hinder Symantec's future market valuations if users > simply allowed their products to expire, downloaded any "Intelligent > Updater" definitions via > http://securityresponse.symantec.com/avcenter/defs.download.html and > installed them with the clock turned back to a pre-expiration date. > > Somehow, Symantec engineers have not implemented a mechanism to disallow a > user from installing the patches via changing the date on their computer > back to when the original program was installed and then running the > "Intelligent Updater." E.g.: User installs a 60 day trial version with > free updates that expires on Jan, 01, 2005. User goes to install an update > in July 2005 and gets a subscription error. User changes the date back to > some time before the product expired and installs the new definition > without problems. User changes date back forward without problems. > > While not of the "Bugtraq" typical bug, Symantec engineers should try to > resolve this to avoid any future revenue loss. > > III SOLUTION > Symantec could rewrite their updates to include a timer, or check via > atomic clock. Other options include informing their customers not to > commit the evil act of modifying the dates on their computers. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > GPG Key ID 0x51F9D78D > Fingerprint 2A48 BA18 1851 4C99 > > CA22 0619 DB63 F2F7 51F9 D78D > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D > > sil @ politrix . org http://www.politrix.org > sil @ infiltrated . net http://www.infiltrated.net > > "How can we account for our present situation unless we > believe that men high in this government are concerting > to deliver us to disaster?" Joseph McCarthy "America's > Retreat from Victory" > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists