Symantec's AntiVirus Corporate Edition 9.0 saves usernames and passwords in plain text in a log file when connecting to an internal LiveUpdate server for updates, according to a post on the Bugtraq mailing list. The credentials are stored in a fixed location on the computer that's accessible by any user, according to the bug report.
Symantec's Incident Response team has been notified of the suspected issue, a Symantec representative said on Thursday. "Symantec's product teams are evaluating the issue now and, if necessary, will provide a prompt response and solution," the representative said.
One scenario in which the user credentials could be abused is by a local attacker to gain higher privileges, according to the bug report.
As a workaround, users of AntiVirus Corporate Edition could set their systems to allow anonymous, read-only access to the LiveUpdate server, one Bugtraq reader advises. "The downside is that anyone can take a look at the state of your LiveUpdate files and might use version or product information against you in some way," the reader writes.
Xbox boss confirms Project Scarlett will have a disc drive: Here's what else we know about the upcoming console, including 8K graphics, 120 fps and SSD.
Watch every E3 video game trailer from Square Enix, Ubisoft, Bethesda and Microsoft's E3 conferences: All the trailers you need to see are right here!
Discuss: Symantec probes report of antivirus product flaw
Be respectful, keep it civil and stay on topic. We delete comments that violate our policy, which we encourage you to read. Discussion threads can be closed at any time at our discretion.