Re: SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM

From: Sym Security (
Date: 01/12/04

  • Next message: Matt Zimmerman: "[SECURITY] [DSA 421-1] New mod-auth-shadow packages fix password expiration checking"
    Date: Mon, 12 Jan 2004 13:05:19 -0600

    In response to SnoSoft's, SRT2004-01-9-1022 - Symantec LiveUpdate allows
    local users to become SYSTEM, 01/12/2004 06:22AM:

    Quick Summary:
    Advisory Number : SRT2004-01-09-1022
    Product : Symantec LiveUpdate
    Version : 1.70.x through 1.90.x
    Vendor :
    Class : Local
    Criticality : High (to users of the below listed products)
    Products Affected : Symantec LiveUpdate 1.70.x through
                                                     : Norton SystemWorks
                                                     : Norton AntiVirus (and
    Pro) 2001-2004
                                                     : Norton Internet
    Security (and Pro) 2001-2004
                                                     : Symantec AntiVirus for
    Handhelds v3.0
    Operating System(s) : Win32

    Symantec Security Response Advisory


    12 January 2004

    Symantec Automatic LiveUpdate Local User Elevation of Privilege

    Revision History

    Risk Impact

    Local access required. Automatic LiveUpdate launches as a scheduled task
    if so configured and only on systems running retail versions of Symantec
    products. Impact of this issue would result in elevated privilege on the
    host system only and is highly dependent on system configuration and

    Security analysts from Secure Network Operations notified Symantec of a
    potential issue with the Automatic LiveUpdate feature, available with
    retail versions of some Symantec products, when running as a scheduled
    task. If the system is configured as a multi-user system with privileged
    and non-privileged user access, a non-privileged user could potentially
    access and manipulate the Symantec Automatic LiveUpdate GUI functionality
    to gain privileged system access.

    Affected Components
    Symantec Windows LiveUpdate 1.70.x through 1.90.x
    Symantec Norton SystemWorks 2001-2004
    Symantec Norton AntiVirus and Norton AntiVirus Pro 2001-2004
    Symantec Norton Internet Security and Norton Internet Security Pro
    Symantec AntiVirus for Handhelds v3.0

    Not Affected
    Symantec Windows LiveUpdate v2.x
    Symantec Java LiveUpdate (all versions)
    Symantec Enterprise products (Symantec Enterprise products do not support
    the Automatic LiveUpdate functionality)

    Symantec Automatic LiveUpdate, a functionality included with many Symantec
    retail products, is launched by the system scheduler on system startup and
    then periodically after startup. Symantec Automatic LiveUpdate checks for
    available updates to any supported Symantec products installed on the

    Symantec Automatic LiveUpdate can be configured to notify the user when
    Symantec product updates are available for download. Symantec Automatic
    LiveUpdate does this via a LiveUpdate icon displayed in the system
    taskbar. At this prompt, the user may choose to open an interactive
    LiveUpdate session to retrieve any available updates.

    When a vulnerable version of Symantec Automatic LiveUpdate is initially
    launched at startup it is assigned Local System privileges. During the
    time when an interactive LiveUpdate session is available, and only during
    this session, a non-privileged user could potentially manipulate the
    LiveUpdate GUI functionality to gain elevated privilege on the local host.
     For example, the user could gain privileges to search all system files,
    assume full permission for directories and files on the host, or add
    themselves to the local administrative group.

    Symantec Response

    Symantec verified this vulnerability does exist in the current supported
    versions of Automatic LiveUpdate shipped with many Symantec retail
    products. This issue is fixed in the latest release of Symantec Windows
    LiveUpdate v2.0.

    Symantec Windows LiveUpdate 2.0 is available for download from the
    Symantec technical support site at should you choose not to
    update via Symantec's LiveUpdate capability.

    Symantec Windows LiveUpdate 2.0 is also available for all supported
    Symantec products via the Symantec product's LiveUpdate function. To
    update using LiveUpdate, select the LiveUpdate option within your retail
    Symantec product and download and install all available updates. In some
    cases, the update to LiveUpdate 2.0 may required a restart of your system
    to complete.

    To determine your version of Symantec LiveUpdate:

    1. Open any Symantec retail product installed on your system, e.g.,
    Symantec Norton AntiVirus 2004
    2. Click on LiveUpdate in the toolbar
    3. Click on the LiveUpdate system menu to see the drop-down selections

    4. Click on "About LiveUpdate" to see the version of LiveUpdate you are

    If you are running a version of Symantec LiveUpdate prior to v2.0,
    Symantec recommends running LiveUpdate or downloading Symantec Windows
    LiveUpdate v2.0 from the support site indicated above to upgrade your
    system to the latest version of Symantec LiveUpdate.

    Mitigating Circumstances

    While effectively exploiting this issue would permit a non-privileged user
    to gain privileged access on the local host, there are mitigating
    circumstances that greatly reduce the risk of exploitation in Symantec's
    Automatic LiveUpdate:

    * Symantec Automatic LiveUpdate is implemented in retail versions of
    Symantec products ONLY.
    * The system is vulnerable only if the interactive LiveUpdate capability
    is available to the user
    o Automatic LiveUpdate must be configured with the option enabled to
    notify the user when updates are available
    o If the system is a single-user system, this issue would not have an
    o If the system IS configured as a multi-user system with privileged and
    non-privileged user access to the host system, the non-privileged user
    would require an authorized user account on the host system and must be
    logged on interactively to exploit this issue
    * Elevated privileges can be gained only on the local system, which
    normally limits any impact

    Symantec takes the security and proper functionality of its products very
    seriously. Symantec appreciates the efforts of KF and the Security Network
    Operations security team in identifying this issue and coordinating with
    Symantec during the verification and fix process to properly update and
    protect Symantec customers. Information on this and other security issues
    can be found at the Secure Network Operations Inc., web site,

    The Common Vulnerabilities and Exposure (CVE) initiative has assigned the
    name CAN-2003-0994 to this issue.
    This is a candidate for inclusion in the CVE list (,
    which standardizes names for security problems.

    Anyone with information on security issues with Symantec products should
    contact This advisory is posted on the Symantec
    Security Response page.

    Symantec strongly recommends using encrypted email for reporting
    vulnerability information to The SymSecurity
    PGP key may be obtained here.

    Copyright (c) 2004 by Symantec Corp.
    Permission to redistribute this Advisory electronically is granted as long
    as it is not edited in any way unless authorized by Symantec Security
    Response. Reprinting the whole or part of this Advisory in a medium other
    than electronically requires permission from

    The information in the advisory is believed to be accurate at the time of
    printing based on currently available information. Use of the information
    constitutes acceptance for use in an AS IS condition. There are no
    warranties with regard to this information. Neither the author nor the
    publisher accepts any liability for any direct, indirect or consequential
    loss or damage arising from use of, or reliance on this information.

    Symantec, Symantec Security Response, Symantec product names and Sym
    Security are Registered Trademarks of Symantec Corp. and/or affiliated
    companies in the United States and other countries. All other registered
    and unregistered trademarks represented in this document are the sole
    property of their respective companies/owners.


  • Next message: Matt Zimmerman: "[SECURITY] [DSA 421-1] New mod-auth-shadow packages fix password expiration checking"