Sil!! Nobody else on this list seems to have enough courtesy to say anything publicly (mainly because this list is populated in majority by juvenile retards), so I will:
It's good to see your name bouncing around in the industry again. TS On Wed, 29 Dec 2004 17:56:28 -0500 (EST), J. Oquendo <[EMAIL PROTECTED]> wrote: > > Impact: Bug in Symantec products allows for free software updates > Version(s): > > Norton AntiVirus for Windows 9x/NT/Me/2000/XP > Symantec Web Security > Symantec AntiVirus Scan Engine > Norton AntiVirus for Gateways > Symantec AntiVirus for Gateways > Norton AntiVirus Corporate Edition > Symantec AntiVirus Corporate Edition > Norton AntiVirus for Exchange > > I. BACKGROUND > Symantec whose stock price of $27.38 at market close on December 15, 2004, > valuing the company at approximately $13.5 billion (according to their > home page) has a simple little glitch in the above mentioned products, > which would allow any user who has an expired product to automatically > continue updating without purchasing the software after the program has > expired. Vendor notified on 12/06/2004 > > II. DESCRIPTION > Any user with an expired copy of the versions listed above can continue to > receive updates at no extra cost. While not a true to form "bug", the > silly workaround can hinder Symantec's future market valuations if users > simply allowed their products to expire, downloaded any "Intelligent > Updater" definitions via > http://securityresponse.symantec.com/avcenter/defs.download.html and > installed them with the clock turned back to a pre-expiration date. > > Somehow, Symantec engineers have not implemented a mechanism to disallow a > user from installing the patches via changing the date on their computer > back to when the original program was installed and then running the > "Intelligent Updater." E.g.: User installs a 60 day trial version with > free updates that expires on Jan, 01, 2005. User goes to install an update > in July 2005 and gets a subscription error. User changes the date back to > some time before the product expired and installs the new definition > without problems. User changes date back forward without problems. > > While not of the "Bugtraq" typical bug, Symantec engineers should try to > resolve this to avoid any future revenue loss. > > III SOLUTION > Symantec could rewrite their updates to include a timer, or check via > atomic clock. Other options include informing their customers not to > commit the evil act of modifying the dates on their computers. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > GPG Key ID 0x51F9D78D > Fingerprint 2A48 BA18 1851 4C99 > > CA22 0619 DB63 F2F7 51F9 D78D > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D > > sil @ politrix . org http://www.politrix.org > sil @ infiltrated . net http://www.infiltrated.net > > "How can we account for our present situation unless we > believe that men high in this government are concerting > to deliver us to disaster?" Joseph McCarthy "America's > Retreat from Victory" > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
