Kerberos Vulnerability

[Craig H]

MIT just released a double-free vulnerability in KDC and
libraries (http://web.mit.edu/kerberos/advisories/MITKRB5-
SA-2004-002-dblfree.txt). Cisco and Redhat have responded
to this. Is this an issue that effects the Microsoft
implementation of Kerberos as well? If so when can we
expect remediation?

 

[Steven L Umbach]

Subscribe to Microsoft's Security Notification Service if you want to be kept up to
date with current security updates at the link below.

http://www.microsoft.com/technet/security/bulletin/notify.mspx

I don't know currently if it affects MS. Following other security procedures
including a properly configured firewall should minimize impact in the mean
ime. --- Steve

 

[Joe Richards [MVP]]

I am not positive but I doubt it. Most of the MIT vulns that have come out in
the last couple of years, actually I think every MIT vuln in the last couple of
years has not impacted Active Directory. MS does not use the MIT dist like
others do.

joe

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Joe Richards [MVP]

I am not positive but I doubt it. Most of the MIT vulns that have come out in
the last couple of years, actually I think every MIT vuln in the last couple of
years has not impacted Active Directory. MS does not use the MIT dist like
others do.

It does not. Microsoft follows the MIT protocol specifications for
Kerberos, however, they do not use any of the MIT libraries. The
Kerberos in Windows is written completely from scratch by Microsoft.

 

[Laura A. Robinson [MVP]]

circa Wed, 1 Sep 2004 07:34:26 -0700, in
microsoft.public.win2000.security, Craig H
([email protected]) said,

Is this an issue that effects the Microsoft
implementation of Kerberos as well?

No.

Laura