SECURITY BUG IN INTERACTIVE UNIX SYSV386

Garry M. Paxinos pax at megasys.com
Fri Feb 15 23:25:34 AEST 1991


In article <6027 at unix386.Convergent.COM> mburg at unix386.Convergent.COM (Mike Burg) writes:
   A two sided coin problem...

Quite true..

   From a view of a person who has work for various Unix system houses -
   you can't really blame ISC, ESIX, or any other vendors that current has the
   bug in it's release. I think the blame should be placed on AT&T. They are the
   ones who are (were) shipping the base source with the bug. Most AT&T UNIX
   vendors typically only concentrate on adding more options to the system
   (i.e. X-Windows, more controller card support, networking). They usually
   don't looking into rats mazes like memory managment. Now, look it from the
   vendors eye's - You'd be expecting for AT&T to ship a somewhat "secure" (if
   you can call it that) product, without serious holes like this one. Logical 
   conculsion - concentrate on value and price. But after this, I guess not.
   There's only so much a systems house can concentrate on, and some of them
   are poorly understaffed.

I agree completely on the above, with systems as complex as a full Unix
operating system it is quite likely that some things will slip thru.

HOWEVER, they clearly were aware of the 'gapping hole' when they released
2.2 as it is openly stated in the release notes (and you don't have to be
a kernel hacker to understand it...  I guess it just shows how many people
really read the release notes :-)  

This, coupled with the fact the 2.2.1 update did nothing to close the 'hole' 
would seem to indicate either extreme incompentance or total disregard for 
customer security and any intent on fixing real problems.  Unfortunately, as
they seem to be able to come up with a fix by next Friday (the 22nd), the
later appears to be the case...

If this weren't so insidious a breach of security I would be a little
more tolerant.  But openly stating it in a Release Note almost a year ago
and then do absolutely nothing to fix it, even when they have come out with 
an update since then.  Is this a classic definition of negligence or what?

   ON THE OTHER HAND, since you are buying a product from the vendors, you'd
   *EXPECT THEM* to sell you a stable product. Kinda of like selling you a 
   new car, then having it going out of control because your kid decided to
   change the radio station.

I agree 100%.

   Face it folks, all versions of Unix for the PC have problems of some kind.
   (Just a matter of what size the explosion will be when it goes off in your
   face) It ain't no Ginsu knive offer - ("It dices, it slices, it's a
   mutlitasking OS and a teeth cleaner! And if you order now you'll receive....")

Again, absolutely no argument.  But, alas, it really dosen't apply to this
specific problem.

pax.
--
E-Mail:pax at megasys.com    pax at ankh.ftl.fl.us    gmp at pinet.aip.org
USNail:Megasystems, Inc.    2055 South Congress Ave,  Delray Beach,  FL  33445
UUCP  :{gatech!uflorida!novavax!ankh,   mthvax,  shark,   attmail}!megasys!pax
Voice :407-243-2405   Data: 407-243-2407  Fax: 407-243-2408   Telex: 156281499
          "This is America, Right?!?!?"  member of 2 Live Crew



More information about the Comp.unix.sysv386 mailing list