Want CNET to notify you of price drops and the latest stories?

Glitch fixed in Symantec Corporate AntiVirus

Symantec releases a fix for a weakness in the way its corporate antivirus software stores log-in credentials.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
Symantec late on Friday released an update for AntiVirus Corporate Edition 9.0 to fix a security weakness that was . The unpatched software stores usernames and passwords in plain text in a log file when connecting to an internal LiveUpdate server for updates. One scenario in which these credentials could be abused is by a local attacker to gain higher privileges, according to a post on the Bugtraq mailing list last week.

Symantec has now updated its LiveUpdate client to address the problem, according to a security advisory. Still, the company recommends that LiveUpdate user accounts are unique for accessing LiveUpdate only, and have no other system access. Symantec ranks the password problem "medium" risk.