LiveUpdate server login name and password are written to a local log file in clear text. This happens when the LiveUpdate client checks for updates from the server. This is only an issue when a local LiveUpdate server is used with a login name and password.
The login name and password belong to the account configured by the LiveUpdate server administrator for accessing LiveUpdate packages. Symantec strongly recommends that this user account be unique for accessing LiveUpdate packages only, and have no other system access. The system administrator account should never be used for this purpose.
Note: As stated in the LiveUpdate download readme file: LiveUpdate version 2.7.x does not support the LiveUpdate Administration Utility, Version 1.5.x. If you are running a system as a Central LiveUpdate server please go to http://www.symantec.com/techsupp/files/lu/lu.html and download Version 18.104.22.168 update for the LiveUpdate Administration Utility.
An update for the LiveUpdate 2.7 client has been released and can be downloaded from the following location:
Symantec is not aware of any active attempts against or organizations impacted by this issue.
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats
Symantec thanks Arthur Freyman, for notification of this issue and coordination of disclosure as it was resolved