
Hackers could have a field day...
By Joris Evers
Published: 14 July 2005 08:04 GMT
Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.
The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology (MIT).
MIT rates both flaws "critical", according to two advisories released on Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult".
Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable but it does not have a patch available yet.
Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, California. "I think you are going to see a floodgate of patches open," he said.
Microsoft also uses Kerberos but a homegrown version that is not affected by the flaws.
Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.
Independent security-monitoring company Secunia rates the issues "highly critical", its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical", its highest ranking.
Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.
This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.
Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.
Joris Evers writes for CNET News.com
You will be responsible for all security incidents, incident response, IDS analysis, threats and tracking vulnerabilities of the infrastructure.Due ...
You will also have reasonable coding experience and be able to check code for vulnerabilities before it is released. You will conduct regular ...
Most desirable is experience of databases/SQL (ability to create and run own queries), MQ (any variant), SWIFT, ISO15022, ISO20022, FIX, XML, ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy