DHASKIN@CLARKU.BITNET (Denis W. Haskin, Manager, Technical Services) (05/29/87)
From: S. David Streiff <SYSOP1@HARTFORD.BITNET> > In relation to this security hole problem could someone please > send me the commands that create this hole. > PLEASE DO NOT POST THEM ON THE NET. > SEND IT DIRECTLY TO THIS ACCOUNT. > Were trying to determine whether the hole is large enough to require our > installing the patch. Thank you. From: John McMahon <XRJJM%DIRBE.SPAN@JPL-VLSI.ARPA> > I would like to know where this hole is, however I doubt anyone would be > willing to ship this information across the network. Is there anyway, > myself (or my System Manager) can inquire about it ? Some official DEC > source perhaps ? A couple of weeks ago when the hole first surfaced I called TSC about it, and while they obviously wouldn't say much, the basic symptoms are that a user with TMPMBX and NETMBX (which are pretty standard for all sites, 'cause you're pretty limited without them) can grant his/ herself ALL privileges. Colorado did claim that (a) accomplishing this is *not* trivial -- one would really have to know VMS well, and (b) one really requires access to VMS source code to discover/ accomplish it. That is also less likely with DEC's attitude toward fiche since 4.0. As mentioned previously on this list, TSC was dropping off patches via modem, but it looks like they've caught up and I just received it again thru the 'proper' channels. It doesn't say much: The patch included in this mandatory update is essential and should be installed immediately. If you choose not to install this mandatory update, you may compromise the integrity of your operating system. % Denis W. Haskin Manager, Technical Services % % ----------------------------------------------------------------------- % % DHASKIN@CLARKU.BITNET Office of Information Systems (617)793-7193 % % Clark University 950 Main Street Worcester MA 01610 % % % % "Anyone who _moves_ before Most Holy comes back out will spend the rest % % of eternity sipping lava through an iron straw." - Cerebus %