Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.
The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.
MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."
Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.
Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.
Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.
Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.
Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.
This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.
Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.
....but I'm not a "Linux zealot". In fact, I don't use Linux at all. I do hope that's ok.
As I read the quote with respect to Microsoft, two thoughts came to mind.
First, MicroSoft does skate by some of the security flaws. Statistically, it's bound to happen. The old saying "A stopped clock is still right twice a day" comes to mind.
Second, the fact that MicroSoft uses their own "home grown" version of Kerberos AND by some cosmic quirk they happened to escape these particular flaws, DOES NOT mean that their version is free of flaws.
It's just a matter of time. The table is open....Place your bets
....but I'm not a "Linux zealot". In fact, I don't use Linux at all. I do hope that's ok.
As I read the quote with respect to Microsoft, two thoughts came to mind.
First, MicroSoft does skate by some of the security flaws. Statistically, it's bound to happen. The old saying "A stopped clock is still right twice a day" comes to mind.
Second, the fact that MicroSoft uses their own "home grown" version of Kerberos AND by some cosmic quirk they happened to escape these particular flaws, DOES NOT mean that their version is free of flaws.
It's just a matter of time. The table is open....Place your bets
considering the multiple flawes that have been identified in kerberos over the years of which most have not been in MS implementation as MS when it reviewed the MIT implementation identified many of flawes and were then laughed at and abused for making the changes to there implemetation as they claimed it was better. They have been proven right (there implementation has been out there for over 5 years) but all you will see from people is that "just because they haven't found flawes yet doesn't meant they dont't have any".
considering the multiple flawes that have been identified in kerberos over the years of which most have not been in MS implementation as MS when it reviewed the MIT implementation identified many of flawes and were then laughed at and abused for making the changes to there implemetation as they claimed it was better. They have been proven right (there implementation has been out there for over 5 years) but all you will see from people is that "just because they haven't found flawes yet doesn't meant they dont't have any".
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
As I read the quote with respect to Microsoft, two thoughts came to mind.
First, MicroSoft does skate by some of the security flaws. Statistically, it's bound to happen. The old saying "A stopped clock is still right twice a day" comes to mind.
Second, the fact that MicroSoft uses their own "home grown" version of Kerberos AND by some cosmic quirk they happened to escape these particular flaws, DOES NOT mean that their version is free of flaws.
It's just a matter of time. The table is open....Place your bets
As I read the quote with respect to Microsoft, two thoughts came to mind.
First, MicroSoft does skate by some of the security flaws. Statistically, it's bound to happen. The old saying "A stopped clock is still right twice a day" comes to mind.
Second, the fact that MicroSoft uses their own "home grown" version of Kerberos AND by some cosmic quirk they happened to escape these particular flaws, DOES NOT mean that their version is free of flaws.
It's just a matter of time. The table is open....Place your bets