Managers, mind your patches and VPNs! While none has yet been reported, exploits of the Kerberos vulnerabilities uncovered by MIT researchers could wreak havoc on a network.
Kerberos Flaws Ripe for Serious Exploits
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
It’s unfortunate that this post, and the article it refers to, makes it look like it’s a design error in the Kerberos protocol when it is in fact implementation errors in the MIT kerberos software (and in some implementations derived from it).
according to
http://news.com.com/Security+pros+warn+of+critical+flaws+in+Kerbero…
“Unix, Linux and Apple Computer’s Mac OS X potentially open to attack.”
is thsi true?
Most articles that I’ve seen about these Kerberos bugs state they were discovered by MIT krb dev. team. The MIT dev. team released the advisory but the bugs were found by myself and Nico Williams at Sun Microsystems.
And yes, they are implementation flaws and not fundamental design issues.
The question asks is, is Unix/Windows/OSX/Linux, etc. open to attack? With GPL software, there is no (legal) way to hide the source code. This means that you can see the code and find out if your OS is vulnerable. Kerberos has an MIT license, so anyone can use the MIT code as the foundation of their Kerberos implmentation without the GPL ‘encumberance’ of forcing you to release your implmentation of the derived work. So I’ll bet that EVERYBODY uses the MIT code as the foundation of thier Kerberos implementation. If your OS is open source, you can look and see the Kerberos implementation.
If MIT had used the GPL, everybody that used their implmentation would have to ‘confess’ that they used MIT Kerberos. This means that you would KNOW if your OS is vulnerable to a defect in the MIT codebase. I guess that this is truely an advantage of the GPL. Its up each persons to decide if this advantage compensates for the disadvantages of using the GPL. I can see advantages to both sides, but this case illustrates the differences. The MIT/BSD style licence gives ‘freedom’ to the writer, while the GPL gives freedom to the user.
Perhaps I’m just dull, but this finally helps me to see the advantages of these open source licenses.
Have to agree. When I read the article, I thought it was some design flaw but why wasn’t MS’s version vulnerable as well. It turns out it was the implementation. Double-frees are hard to track down, specially when it’s due to a race condition. I hope it’s safe to assume that unlike most software developers (myself included), attention to errors like buffer overflows and double-frees are part of their first concern rather than as something they leave for after they’re done with their reference implementation.
Isn’t everyone using Heimdal anyhow?
according to
http://news.com.com/Security+pros+warn+of+critical+flaws+in+Kerbero…..
“Unix, Linux and Apple Computer’s Mac OS X potentially open to attack.”
is thsi true?
>
>
On if you have Kerberos installed on your particular system and are actually using it for something…