Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!mucs!craven!dente From: dente@craven.ee.man.ac.uk (Colin Dente) Newsgroups: comp.sys.apollo Subject: Re: Patches and security Message-ID: <1491@m1.cs.man.ac.uk> Date: 20 Jul 90 14:46:44 GMT References: <1469@m1.cs.man.ac.uk> <1990Jul19.193641.23420@terminator.cc.umich.edu> <7871@jarthur.Claremont.EDU> Sender: news@cs.man.ac.uk Organization: Manchester Computer Centre, University of Manchester UK Lines: 57 In article <7871@jarthur.Claremont.EDU> jonathan@jarthur.Claremont.EDU (Jonathan Ball) writes about Jim Rees writing about what I said in the first place: [Me] >>> PLEASE keep the nature of security holes quiet. [Jim] >>I disagree, and patch 121 is a perfect example of why we need to discuss >>security holes. Unless I miss my guess, this patch does not fix the hole at >>all, it just removes a copy of a program that exploits that hole. You go >>away thinking your machine is now somehow more secure, and anyone who really >>wants to can still get in. Well, much as I hate doing it, on reflection I have to (at least partially) agree with Jim, even though he is correcting me 8-) When I saw the nature of the patch, I thought 'Great - that solves the problem entirely' - more fool me! As Jim so rightly points out, all the patch does is change a single program that doesn't run suid or anything fancy. The *REAL* security hole is the fact that a simple user-mode program could, *and still can* create an suid root file when run as a normal user. Let's face it, when you consider the nature of this bug - 10.2 CAN NEVER BE EVEN SLIGHTLY SECURE. Give me access to any machine, and the ability to load at most two files on, and I can become root by typing a single command. This is no exaggeration. Even sites which have installed patch 121 are not immune from the effects of this hole (they simply require me to load two files instead of one). [Jim] >>I may be wrong, but since we're not discussing this hole here, we'll never >>find out, will we? Unfortunately, you're not wrong - as I said before - 10.2 is wide open. [Jon] >Well, perhaps Jim Richardson and anyone else who DOES know what the problem >is, and HAS applied the patch, could tell us that information without >revealing the hole to the rest of the world. Unfortunately, I don't think I can say much more about it without revealing it's exact nature, but I will say this to HP: If this bug has not been fixed in SR10.3, then I can see no way of justifying its release. Fixing this bug should be made the highest possible priority if you wish to have any pretensions towards being a supplier of professional computer equipment. Boy am I mad... -- Colin Dente | JANET: dente@uk.ac.man.ee.els Dept. of Electrical Engineering | ARPA: dente@els.ee.man.ac.uk University of Manchester, UK | UUCP: ...!ukc!man.ee.els!dente ... I am the one you warned me of ...