Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!apple!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!ubu.cc.lehigh.edu!virus-l From: WHMurray@DOCKMASTER.ARPA Newsgroups: comp.virus Subject: Mainframe Vulnerability Message-ID: <0005.8906201731.AA26692@spot.CC.Lehigh.EDU> Date: 19 Jun 89 14:55:00 GMT Sender: Virus Discussion List Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU Lines: 49 Approved: virus-l@ubu.cc.lehigh.edu > He [Harold Joseph Highland] indicated large systems could be >infected more easily than was >commonly believed. In particular, he said a glaring weakness existed >in Communications Monitoring System (CMS) version 4 for IBM's MVS >operating system where a dangerous virus could be introduced by simply >programming 16 lines of code. Since this problem has been referred to several times, a little background might be useful. The "weakness" referred to was in a spool handling program shipped as part of VM/SP, not MVS. In early VM systems, spool objects were "card images" containing only one CMS named object per spool object. Later a "disk image" spool object was added. This disk image could contain more than one CMS object per spool object. A user, looking at his in-spool queue, or READER, would see as the name of the spool object only the name of the first CMS object in the spool object. Unless he scanned, or PEEKed, the object in the spool before reading it in, he might read in a CMS object that he did not know about. HJH may call it a glaring weakness if he likes. It seems to me that the problem was that it did not "glare" enough. Indeed, it was quite subtle, but it might have made it likely for someone to read into his virtual machine a named data object that he had not seen in his reader. Such an object could have been "an armed warrior" in a gift horse. I call it a reasonable design choice, at least at the time that the choice was made. IBM made a change in Rel. 5 to protect a naive user from his own behavior. It did so at the expense of a performance hit and a useability hit to all users. It made the change on its own initiative. If memory serves me correctly, there were no complaints from customers about the the condition. On the other hand, there were a number of questions raised about the performance implications of the change. Had IBM not made the change, it is unlikely that HJH would know anything of the exposure. [I am retired from IBM and receive a small income from them. In return for that income, I owe them nothing in comparison to what I owe the truth.] William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840