buck@siswat.UUCP (A. Lester Buck) (04/07/89)
On Feb. 7, 1989, our site upgraded from AIX/RT 2.2.0 to 2.2.1. There was a gaping security hole after the installation. (Think of the worst security hole you can imagine. Yes, it is worse than that...) We reported the incident to IBM on 2/8 and I sent a security alert to the private zardoz!security mailing list detailing the gaffe. In that message I suggested people not hold their breaths waiting for IBM to issue new disks, since the policy on the RT (read your licenses) is to not send any notification of any bugs to any licensee until they request them. That is, lots of people get to discover the same bugs over and over and over. As it turns out, I was only too accurate in predicting the IBM response. Today (4/6) IBM finally closed our incident and we received disks that purport to fix the problem. (We are not going to revert to the insecure state to test the fix.) But IBM refuses to issue any type of alert to its licensees warning them to apply the fixes, or to even announce their availability. Potentially thousands of RT's are now vulnerable to the most trivial attack. If you are a system administrator for any RT's, you should immediately call IBM and demand the AIX updates through patch IX03053, and give them a piece of your mind as to why you were not informed of an extremely serious security breach. IBM crowed excessively about how they had plugged the sendmail worm hole in their delivered product, and that only affected Internet sites. Now they deliver a much more serious botch that can lay bare any machine on which it is installed and they want to cover it up. And to top it all off, they tell us they didn't feel like fixing the default security checking setup in /etc/security/config to check some obvious files. "Well, the system administrator is free to add those files and directories to the config list." Sure, but why should they have to? I will be happy to reply (mailers willing) to any mail I receive from root accounts asking for the details of this botch, but I will delay for a couple of weeks to let the IBM updates propagate. If IBM thinks AIX will conquer the world with this type of behavior, they sure haven't checked out the competition. -- A. Lester Buck ...!texbell!moray!siswat!buck