Security pros warn of critical flaws in Kerberos

Vulnerabilities in technology widely used for network authentication leave computers open to attack.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Oct. 6, 2004 12:20 p.m. PT

page one

(continued from )

However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Sun and Red Hat, have announced patches for the problem, but not all have.

Click here to comment on this story.

Even if a worm may not be created to exploit the flaws, administrators need to patch the issue as soon as possible, said Alfred Huger, senior director for security at network protection firm Symantec. "We see a lot of it in customer environments," he said. "It is very common."

Busy company IT managers frequently will not place high priority on vulnerabilities that have not been exploited by hackers. Yet, Huger stressed that thinking that way is asking for trouble.

"A worm likely won't be created using this flaw, but that means that it may stay unpatched, and that is really dangerous, especially with something that serves up your authentication," he said.

The Computer Emergency Response Team coordinated the Kerberos advisory, MIT's Hartman said.

The publication of the advisory went much smoother than a year ago, when another flaw in Kerberos was found. That information was leaked out early by an unknown person who claimed to have access to the network.

Administrators should check their operating system vendor's Web site for more information on the recent flaws.

< | 1 | 2