Exposure of sensitive information
Kerio ServerFirewall 1.x
Kerio MailServer 5.x
Kerio MailServer 6.x
Javier Munoz has reported a security issue in Kerio MailServer and
Kerio ServerFirewall, which potentially can be exploited by
malicious, local users to gain knowledge of sensitive information.
The problem is that user passwords are stored in the user credential
database using symmetric encryption. This may allow malicious users
with access to the database to gain knowledge of the passwords by
decrypting them using a key hidden in the program logic.
NOTE: A problem with insecure ACLs has also been reported.
Update to Kerio MailServer 6.0.5 and Kerio ServerFirewall 1.0.1.
Symantec Windows LiveUpdate NetDetect Privilege Escalation
SECUNIA ADVISORY ID:
Norton AntiVirus 2002
Norton AntiVirus 2001
Norton Internet Security 2001
Norton Internet Security 2002
Norton Internet Security 2003
Norton Internet Security 2003 Professional
Norton Internet Security 2004
Norton Internet Security 2004 Professional
Norton SystemWorks 2001
Norton SystemWorks 2002
Norton SystemWorks 2003
Norton SystemWorks 2004
Symantec AntiVirus for Handhelds 3.x
Symantec Norton AntiVirus 2003
Symantec Norton AntiVirus 2004
Symantec Windows LiveUpdate 1.x
Symantec Windows LiveUpdate 2.x
Secure Network Operations has reported a vulnerability in Symantec
Windows LiveUpdate, which can be exploited by malicious, local users
to gain escalated privileges.
The vulnerability is caused due to Symantec Automatic LiveUpdate
allowing manipulation of certain Internet options with SYSTEM
privileges. This can be exploited via the LiveUpdate GUI during an
interactive LiveUpdate session when running the scheduled "NetDetect"
Successful exploitation allows execution of arbitrary commands with
The vulnerability has been reported in LiveUpdate prior to version
The following products include LiveUpdate and are affected:
Symantec Norton SystemWorks 2001-2004
Symantec Norton AntiVirus and Pro 2001-2004
Symantec Norton Internet Security and Pro 2001-2004
Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0
Update to Symantec Windows LiveUpdate version 2.5.
This is available via the LiveUpdate functionality or at:
PROVIDED AND/OR DISCOVERED BY:
Secure Network Operations
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
Definitions: (Criticality, Where etc.)
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
An added note here. The newest version is actually 2.6 not 2.5 as noted in this report from Secunia. The link they supply DOES take you to 2.6. This is the update that most of us regulars in this forum already did 2 or 3 weeks ago when Donna reported that it was available. The easiest way to check your version is to bring up the Norton Utility, click on the Live Update button, when that window comes up, click on the topleft side where it says options/about. A small window will popup and tell you which version you have. You WILL have to reboot after updating.