Best TVs 'She-Hulk' Review Up to $1,000 Off Samsung Phones Best Streaming TV Shows Home Bistro Review 8 Great Exercises Amazon Back-to-School Sale Best Phones Under $500
Want CNET to notify you of price drops and the latest stories?
No, thank you
Accept

Symantec probes report of antivirus product flaw

Security software vendor is investigating a report of a weakness in the way its corporate antivirus software stores login credentials.

Symantec is investigating a report of a weakness in the way its corporate antivirus software stores login credentials, the security vendor said on Wednesday.

Symantec's AntiVirus Corporate Edition 9.0 saves usernames and passwords in plain text in a log file when connecting to an internal LiveUpdate server for updates, according to a post on the Bugtraq mailing list. The credentials are stored in a fixed location on the computer that's accessible by any user, according to the bug report.

Symantec's Incident Response team has been notified of the suspected issue, a Symantec representative said on Thursday. "Symantec's product teams are evaluating the issue now and, if necessary, will provide a prompt response and solution," the representative said.

One scenario in which the user credentials could be abused is by a local attacker to gain higher privileges, according to the bug report.

As a workaround, users of AntiVirus Corporate Edition could set their systems to allow anonymous, read-only access to the LiveUpdate server, one Bugtraq reader advises. "The downside is that anyone can take a look at the state of your LiveUpdate files and might use version or product information against you in some way," the reader writes.