Version: 2008
  • On TV.com: New TV sex symbol: Vintage black PORSCHE
advertisementGet Smart about Business Spending

September 1, 2004 3:06 PM PDT

Security pros warn of critical flaws in Kerberos

By Robert Lemos
Staff Writer, CNET News

  • 1 comment
Related Stories

Samba steps up Linux/Windows connection

 September 25, 2003

Hacker says he leaked info on Unix flaw

 March 19, 2003

Microsoft beefs up Passport security

 September 2, 2002

Open-source fans try to outflank .Net

 July 5, 2001
Vulnerabilities in a technology widely used for network authentication have left computers running Unix, Linux and Apple Computer's Mac OS X potentially open to attack.

The flaws could allow an online intruder to gain access to computers running a security feature known as Kerberos. The vulnerabilities, found by the developers at Sun Microsystems and the Kerberos Team at the Massachusetts Institute of Technology, should be patched as soon as possible, Sam Hartman, engineering lead for the team, said Wednesday.

"I would not expect this to lead to a worm," Hartman said. "Most sites will patch it because patching is easy to do. Whereas, if you do have a compromise, it is a lot of work to recover."

Kerberos is the keystone to security for many networks. The software essentially acts as a gatekeeper, identifying the people who are allowed to access computers in the network and those who are not. That makes the software flaws particularly pernicious.

The flaws, known as double-free vulnerabilities, are caused because a part of the program attempts to free up the same computer memory space twice. Such errors are not as easy to take advantage of as another, more common memory error--the buffer overflow. That gives administrators a little breathing room, Hartman said.

"We have no reason to believe that anyone has produced an exploit program," he said. "Moreover, this is not something where we have seen an attack in the wild."

Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said.

Continued ...

1 | 2 | Next>>

Add a Comment (Log in or register)
WOW
by David Arbogast September 2, 2004 10:40 AM PDT
Amazing. Microsoft's private version of Kerberos is more secure than the Open Source version??

The open source community has had 17 years to find and fix that flaw. I guess that's a blight on the concept of open-source facilitating fixes. Apparently, more eyes didn't do the job.

Now that Slashdot users have illegally posted Microsoft's Kerberos specifications online, maybe the opensource community can steal some more code to patch their authentication system.

sheesh.
Reply to this comment
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (-0.08%) -0.02 29.92
Apple (-1.22%) -2.51 203.37
Dow Jones Industrials (-0.44%) -46.26 10,404.69
S&P 500 (-0.36%) -3.93 1,102.31
NASDAQ (-0.58%) -12.66 2,163.35
CNET TECH (-0.47%) -7.62 1,596.54
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET