Local Privileges Elevation via Symantec LiveUpdate
16 Dec. 2004
Summary
Symantec Automatic LiveUpdate, a functionality included with many Symantec retail products as well as on Symantec AntiVirus for Handhelds Corp v3.0, is launched by the system scheduler on system startup and then periodically after startup. Symantec LiveUpdate can automatically check for available updates to any supported Symantec products installed on the system using a scheduled task call NetDetect.
Vulnerable versions of the Symantec Automatic LiveUpdate are initially launched at startup and were being assigned Local System privileges. During the period when an interactive LiveUpdate session is available, and only during this session, a non-privileged user could potentially manipulate portions of the LiveUpdate GUI Internet options configuration functionality to gain elevated privilege on the local host. For example, the non-privileged user could gain privileges to search and edit all system files, assume full permission for directories and files on the host, or create new user accounts on the local system.
Affected Components
* Symantec Windows LiveUpdate prior to v2.5
* Symantec Norton SystemWorks 2001-2004
* Symantec Norton AntiVirus and Pro 2001-2004
* Symantec Norton Internet Security and Pro 2001-2004
* Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0
Not Affected
* Symantec Windows LiveUpdate v2.5
* Symantec Java LiveUpdate (all versions)
* Symantec Enterprise products (Symantec Enterprise products do not support the Automatic LiveUpdate functionality with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0)
Additional Information:
If exploited effectively this issue would permit a non-privileged user to gain privileged access on the local host. Symantec has produced a list of mitigating circumstances that reduce the risk of exploitation in the Automatic
LiveUpdate feature.
Symantec Automatic LiveUpdate is only implemented in retail versions of Symantec products with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0. This version uses Symantec Automatic LiveUpdate to check for essential updates when connected to the network.
The system is vulnerable only when the interactive LiveUpdate capability is activated and configured with the option to notify the user when updates are available. Single user systems are not a the same risk factor as multi-user systems in shared environments. Shared computers in university or office type environments with restricted or non-privileged user access are at high risk.
Symantec Response
Symantec engineers had already identified this issue in supported versions of Symantec Windows LiveUpdate and were in the process of addressing it when Secure Network Operations analysts contacted us with their verification of the issue. Symantec addressed this issue in Symantec Windows LiveUpdate v2.5, which if customers have been keeping their systems updated should have already been installed on affected Symantec products. The latest version of Symantec Windows LiveUpdate is also available for download from the Symantec technical support site at http://www.symantec.com/techsupp/files/lu/lu.html.
Determining your version of Symantec LiveUpdate:
1. Open any Symantec retail product installed on your system, e.g., Symantec Norton AntiVirus 2004
2. Click on LiveUpdate in the toolbar
3. Click on the LiveUpdate system menu to see the drop-down selections
4. Click on "About LiveUpdate" to see the version of LiveUpdate you are running
If you are running a version of Symantec Windows LiveUpdate earlier than version 2.5, you should either run LiveUpdate to get the latest updates for products on your system, or download the latest release of Symantec Windows LiveUpdate from the location provided above.
Mitigating Circumstances
While effectively exploiting this issue would permit a non-privileged user to gain privileged access on the local host, there are mitigating circumstances that greatly reduce the risk of exploitation in Symantec's Automatic LiveUpdate:
* Symantec Automatic LiveUpdate is only implemented in retail versions of Symantec products with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0, which uses Symantec Automatic LiveUpdate to check for essential updates when connected to the network.
* The system is vulnerable only if the interactive LiveUpdate capability is implemented on the system
o Automatic LiveUpdate must be configured with the option enabled to notify the user when updates are available
o If the system is a single-user system, this would not be an issue
o If the system IS configured as a multi-user system with privileged and non-privileged user access to the host system, the non-privileged user would require an authorized user account on the host system and must be logged on interactively to exploit this issue
* Elevated privileges can be gained only on the local system, which normally limits any impact
