Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!ucsd!ucbvax!CAEN.ENGIN.UMICH.EDU!pha From: pha@CAEN.ENGIN.UMICH.EDU (Paul H. Anderson) Newsgroups: comp.sys.apollo Subject: Re: Security hole in 10.2 Message-ID: <4c8787802.0017b5e@caen.engin.umich.edu> Date: 31 Aug 90 14:26:13 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 52 In article <9008221551.AA02021@apo.esiee.fr> bonnetf@apo.esiee.fr (bonnet-franck) writes: >I've heard about a BIG security hole in 10.2 !! Yup there is. It takes a few hours to find it, but it's there. ^^^^ or days if you know little of apollo's > >We have some machines running 10.2 and a lot of running 10.1. >Could someone tell me more about that new security problem ? Well that's a problem: Even my local dutch sales rep does not want to give me all the nice and juicy details. He says that they not allowed to do so??????? ( And maybe we're not supossed to know.) As fas as I can tell, is the bug not going to be fixed since al sorts of programs need to be fixed also. The claim is that OS10.3 is going to solve everything! Without going into too much detail, let me say that I know Apollo is working very hard on the problem. I have heard from reliable sources that 10.2 will be have a patch soon, and that a patch for 10.3 will follow. 10.3 has to ship as is, because it is required to support the series 9000/400 machines. I'm hoping to do testing of the patch with our software here on site (maybe 30 major packages or so), so I hope to get a good feeling for how well the patch works. I expect that it will break some packages, so everyone on the internet is going to have to make a tough decision as to whether or not they will apply the patch, or take their chances. Keep in mind that the security hole is only present once someone logs into the Apollo. If the person can't get in, they can't exploit the hole. Therefore, Apollos that are in secure locations are quite safe, provided any access is controlled via physical security or via well chosen passwords. The juicy details of the problem itself are fairly mind boggling. Don't get me wrong - I'm glad they're fixing it, but for them to have put capability like that in the system deliberately completely defies reason. I posted this to explain 1) that Apollo is doing something, 2) that the fix will break other applications, 3) the bug is nasty, 4) that progress is probably being made, and 5) that I'm sick and tired of design decisions that rely on security by obscurity. Paul Anderson CAEN University of Michigan