The Massachusetts Institute of Technology (MIT) has fixed several critical Kerberos 5 flaws attackers could exploit to cause a buffer overflow and run malware on targeted machines.
Kerberos is widely used as a secure method for authenticating a request for a service in a computer network. It was developed in the Athena Project at MIT and is incorporated into a variety of products, including Sun Microsystems's Enterprise Authentication Mechanism software and its Solaris operating system, Red Hat Linux, MandrakeSoft Linux and Debian Linux.
The second problem was that the Kerberos administration daemon (kadmind) could write data through an uninitialized pointer, MIT said, adding, "This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol."
Because it is used so extensively, Danish vulnerability clearinghouse Secunia labeled the flaws "highly critical" in its SA26676 advisory. The company warned that the flaws "can be exploited by malicious users and malicious people to compromise a vulnerable system."
Secunia recommended users eliminate the threat to their systems by updating to Kerberos 1.5.5 or 1.6.3 as soon as it becomes available, or by applying the patches.