Arthur T. wrote:
We have no way of knowing when all customers have applied a
System Integrity fix to all systems, so that there are no longer any
exposed systems anywhere in the world. Discussions right here on
IBM-MAIN suggest that some customers run releases
which are no longer supported, and a fix will never be available for
those unsupported releases. As a courtesy to customers with exposed
systems, we do not discuss the nature
of System Integrity APARs, since understanding an exposure is one of
the steps towards formulating a method of attack on
an exposed system. Naturally, you may be curious about the nature of
an exposure, and of course, we would love to show off how clever we
were in discovering an exposure by
telling you all about it. However, we feel that your curiosity and
our desire to show off are overridden by the need to avoid
unnecessarily assisting potential attackers.
This particular fix, though, requires each company's security
department to define who can use SMP/E and in what way. Without
knowing what the security hole is, how can they know how to assign access?
Simple. Assign *full* SMP/E access to anyone that needs to use SMP/E to
install software in your shop. That action alone limits any exposure to
a (typically) small subset of your user community. The exposure is
further limited by IBM secrecy about the problem.
The hope is that none of that small subset of users to whom you have
given SMP/E access will understand how or have a desire to exploit
whatever exposures exist.
--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
[email protected]
http://www.phoenixsoftware.com/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
