CNET también está disponible en español.

Ir a español

Don't show this again

Fauci to join Biden's COVID team Watch Arecibo Observatory collapse Mulan free on Disney Plus The Mandalorian episode recap Warner Bros. movies on HBO Max PS5 inventory Spotify Wrapped 2020

Symantec probes report of antivirus product flaw

Security software vendor is investigating a report of a weakness in the way its corporate antivirus software stores login credentials.

Symantec is investigating a report of a weakness in the way its corporate antivirus software stores login credentials, the security vendor said on Wednesday.

Symantec's AntiVirus Corporate Edition 9.0 saves usernames and passwords in plain text in a log file when connecting to an internal LiveUpdate server for updates, according to a post on the Bugtraq mailing list. The credentials are stored in a fixed location on the computer that's accessible by any user, according to the bug report.

Symantec's Incident Response team has been notified of the suspected issue, a Symantec representative said on Thursday. "Symantec's product teams are evaluating the issue now and, if necessary, will provide a prompt response and solution," the representative said.

One scenario in which the user credentials could be abused is by a local attacker to gain higher privileges, according to the bug report.

As a workaround, users of AntiVirus Corporate Edition could set their systems to allow anonymous, read-only access to the LiveUpdate server, one Bugtraq reader advises. "The downside is that anyone can take a look at the state of your LiveUpdate files and might use version or product information against you in some way," the reader writes.