Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!lll-lcc!ames!ucbcad!ucbvax!ENGVAX.SCG.HAC.COM!KVC
From: KVC@ENGVAX.SCG.HAC.COM (Kevin Carosso)
Newsgroups: comp.os.vms
Subject: VMS security patch
Message-ID: <8705310849.AA26160@ucbvax.Berkeley.EDU>
Date: Sun, 31-May-87 02:54:00 EDT
Article-I.D.: ucbvax.8705310849.AA26160
Posted: Sun May 31 02:54:00 1987
Date-Received: Tue, 2-Jun-87 01:25:12 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 53

Me and my big mouth...

When I sent a message out to the list indicating that the security patch
went in ok,  I also made the (possible) mistake of mentioning that I had
a test program that demo'd the problem.  Several (tons) of people have since
asked for a copy of the program, mainly to check their own sites vulnerability,
or they want to know the hole so they can see if their users have exploited
it.

I'm certain that the inquiries were based solely on the best of intentions,
but I cannot in good conscience distribute the thing.  I hope people will
understand that I don't wish to bear the responsibility of the program causing
someone a problem because it "fell into the wrong hands".

Most of the reasons and questions I got were:

- "I need to know if it's serious enough to warrant patching a
   production machine"

  The patch is simple and requires no down-time.  Simply reinstall the
  image.  The problem is serious enough to warrant you taking every effort
  to patch it.

- "How do I know if someone exploited it?  How do I tell if someone
   uses it in the future?"

  I will say only that it allows a nonprivileged user to modify SYSUAF.DAT.
  If things are strange in SYSUAF.DAT, maybe you got got.  Placing an alarm
  ACL on SYSUAF.DAT may help catch someone.  A skilled attacker, however,
  may have left no obvious traces so there are no quarantees.  It is very
  esoteric.  Not something you stumble upon.

- "How do I know if I need it?" "Is it big enough?"

  You need it if you are running VMS 4.4 or 4.5.  I do not know about
  4.5A, B, and C.  I suspect, but have no proof, that it is fixed in 4.6.
  You really do need it.

- "How do I get the patch?  Please send it to me!"

  DEC is making every effort to distribute the patch to all sites.
  When I called, the TSC informed me that a mandatory update was being sent
  to everyone who gets VMS updates.  I assume that includes those people who
  don't have TSC access, but still get VMS distributions.  If you really
  have no access to TSC contact your local DEC office.  I'm sure they
  will get it to you even if you don't have support.

  I have only given it to those I know personally.

Anyway, I hope everyone can understand my reasons for disappointing them.

        /Kevin Carosso            kvc@engvax.scg.hac.com
         Hughes Aircraft Co.      kvc%engvax@oberon.usc.edu