On Wed, 22 May 2013 07:31:35 -0400, Gerhard Postpischil wrote: >On 5/22/2013 4:54 AM, Shmuel Metz (Seymour J.) wrote: >> Adequate QA on the fix will take more than a few days. Once IBM makes >> a gix available, it will take more than a few days for most shops to >> install it. > One must balance the perceived risk of a flawed fix against the threat. If the flaw is being actively exploited, the latter is quite high.
>If this is the hole I think it is, then IBM "fixed" it incorrectly, and >it had to be reported a second time. > >And in the early days IBM was sloppy - the PASSWORD SVC had an >undocumented function that never checked a passed address; at a minimum >that would allow anyone to crash the system. > Sloppy indeed. A colleague told me that in the Bad Old Days a password facility verified the password by CLC against the passed address. By shifting the probe password across a page boundary and intercepting page faults, on some models he was able to extract a password in about a thousand probes. Unencrypted passwords; no authority revocation on failure count. And TSO LOGON accepted unmasked passwords. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
