September 1, 2004 3:06 PM PDT
Security pros warn of critical flaws in Kerberos
However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Sun and Red Hat, have announced patches for the problem, but not all have.
Busy company IT managers frequently will not place high priority on vulnerabilities that have not been exploited by hackers. Yet, Huger stressed that thinking that way is asking for trouble.
"A worm likely won't be created using this flaw, but that means that it may stay unpatched, and that is really dangerous, especially with something that serves up your authentication," he said.
The Computer Emergency Response Team coordinated the Kerberos advisory, MIT's Hartman said.
The publication of the advisory went much smoother than a year ago, when another flaw in Kerberos was found. That information was leaked out early by an unknown person who claimed to have access to the network.
Administrators should check their operating system vendor's Web site for more information on the recent flaws.