In the same key, there is a REG_DWORD called PasswordIsEncrypted, that is set to 0. I figure that this key is used to tell Liveupdate to decrypt the encrypted password in the password key, but I haven't been able to find out how to get LiveUpdate to encrypt the password when it sets it. Steven V> > ---------- > From: Javier Sanchez[SMTP:jsanchez157@hotmail.com] > Sent: Monday, February 25, 2002 11:14 AM > To: bugtraq@securityfocus.com > Subject: Symantec LiveUpdate > > Norton Antivirus Corporate Edition includes LiveUpdate. LiveUpdate stores > > Username and Password information in cleartext in the registry. Depending > > on your implementation, you may not need LiveUpdate installed at all on > your > clients. > > I brought this to Symantec's attention months ago. Since then a new > version > of LiveUpdate has been released. The information is still not encrypted. > > Any user with the client installed can run "regedit" search for "password" > > and viola! > > Here's a "fix": > Paste the following into a .reg file (i.e. nav.reg) and push it out to > your > clients via login script or whatever: > REGEDIT4 > > [HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Li > veUpdateSource] > "Login"=- > "Password"=- > > > > > > _________________________________________________________________ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > >
