Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!midway!gargoyle!ddsw1!karl
From: karl@ddsw1.MCS.COM (Karl Denninger)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Summary: Reply to ISC on this one -- I AM PISSED FOLKS!
Keywords: security bug
Message-ID: <1991Feb18.004416.12447@ddsw1.MCS.COM>
Date: 18 Feb 91 00:44:16 GMT
References: <1991Feb14.004122.1564@ism.isc.com>
Organization: Macro Computer Solutions, Inc., Wheeling, IL
Lines: 61

In article <1991Feb14.004122.1564@ism.isc.com> martys@ism.isc.com writes:
>The recent reports of a security hole in AT&T UNIX System V/386
>Release 3.2, and in the INTERACTIVE UNIX Operating System which
>is based upon it, are accurate.  Users with a math coprocessor
>and INTERACTIVE Version 2.2  or later of the INTERACTIVE UNIX
>Operating System should read the INTERACTIVE UNIX System Release
>Notes, page 10, first bullet item for the workaround.

Flame gun on nuclear holocost setting:
	Look, folks.  You published 2.2 while KNOWING FULL WELL that the
	problem was there.  The release notes even hint that you knew about
	it in 2.0.2 or before -- certainly before 2.2 came out.
	
	Now you've really done it.  I hope your company gets sued for gross
	negligence and you go bankrupt.  

	It is one thing to publish a product with a problem like this.  It
	is another entirely to do so with full knowledge of the hole, the
	damage it will cause when exploited, and simply not care.  That is,
	generally, the definition of gross negligence.  It is akin to
	selling a person a car with known defective brakes.

	There is lots of evidence of this "I don't care" attitude -- the
	fact that the bug was reported to you more than 6 months ago and
	ignored, and the published description of a "fix" in the release
	notes for 2.2.  Of course what's not in the 2.2 release notes is
	that if you apply the fix, and don't have a math chip, the system
	will then not be able to do any floating point math!

>For all other users, INTERACTIVE Systems Corp. will provide a
>comprehensive fix to the problem.  It will be provided as an
>update (bug-fix) diskette to users of 386/ix Version 2.0.2,
>INTERACTIVE UNIX Version 2.2.1, and the C2 Security Extension.
>For Version 2.2 users without a math coprocessor, call into
>Warranty support, (213) 453-8649 and ask for the free upgrade
>to Version 2.2.1 as well as the 2.2.1 security-hole bug-fix
>diskette.  As with all INTERACTIVE bug-fix diskettes, it will be
>available free of charge through the Support department.

Post the fix.  If you have any integrity at all.

>The anticipated availability date of the bug-fix is February 22nd.
>
>Marty C. Stewart
>Support Team Leader
>Interactive Systems Corp.

You and your entire crew deserve to be fired.  ISC has deliberately done
this.  The "support team" appears to have deliberately ignored the report 
of this bug for at least 6 months.  It is a >fact< that the problem was
known when 2.2 was released.

Perhaps Kodak will take this seriously enough to enforce some real 
discipline from the top level down -- and replace all of you.

(flame gun off)

--
Karl Denninger (karl@ddsw1.MCS.COM, <well-connected>!ddsw1!karl)
Public Access Data Line: [+1 708 808-7300], Voice: [+1 708 808-7200]
Macro Computer Solutions, Inc.   "Quality Solutions at a Fair Price"