Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!asuvax!ncar!elroy.jpl.nasa.gov!usc!apple!voder!pyramid!ctnews!unix386!mburg From: mburg@unix386.Convergent.COM (Mike Burg) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: <6027@unix386.Convergent.COM> Date: 14 Feb 91 19:41:21 GMT References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> Organization: Unisys/Convergent, San Jose, CA Lines: 39 In article <27B93F44.5606@tct.uucp>, chip@tct.uucp (Chip Salzenberg) writes: > According to jpp@specialix.co.uk (John Pettitt): > >We have confirmed that this does indeed work on ISC 2.2 and that SCO > >unix does `the right thing' (tm) and core dumps the application. > > It is good to see that SCO's engineers, unlike those at ISC and > Everex, have an effective grasp on the basic principles of memory > protection covered in the first semester of OS design class. A two sided coin problem... From a view of a person who has work for various Unix system houses - you can't really blame ISC, ESIX, or any other vendors that current has the bug in it's release. I think the blame should be placed on AT&T. They are the ones who are (were) shipping the base source with the bug. Most AT&T UNIX vendors typically only concentrate on adding more options to the system (i.e. X-Windows, more controller card support, networking). They usually don't looking into rats mazes like memory managment. Now, look it from the vendors eye's - You'd be expecting for AT&T to ship a somewhat "secure" (if you can call it that) product, without serious holes like this one. Logical conculsion - concentrate on value and price. But after this, I guess not. There's only so much a systems house can concentrate on, and some of them are poorly understaffed. ON THE OTHER HAND, since you are buying a product from the vendors, you'd *EXPECT THEM* to sell you a stable product. Kinda of like selling you a new car, then having it going out of control because your kid decided to change the radio station. Face it folks, all versions of Unix for the PC have problems of some kind. (Just a matter of what size the explosion will be when it goes off in your face) It ain't no Ginsu knive offer - ("It dices, it slices, it's a mutlitasking OS and a teeth cleaner! And if you order now you'll receive....") -- ---------------------------------- Michael Burg - Unisys/Convergent Corp. Unix Intel Platforms Division San Jose Phone: (408) 456-5934 UUCP: uunet!pyramid!ctnews!unix386.Convergent.com!mburg