On 12 July 2017 at 12:21, Charles Mills <charl...@mcn.org> wrote: > It's not the malware you know about that should worry you the most. The > phrase "zero day exploit" comes to mind.
With something as old as z/OS 1.4 it's not even just zero-days. There are several well known gaping holes in z/OS that have been fixed by IBM in recent releases. In many cases these fixes are quietly issued as "security" with no detail, but in others it's virtually impossible to describe changed behaviour necessitated by the fix without at the same time giving away the vulnerability. For example (and discussed here at some length), until recently it was possible for anyone to use the UNIX execmvs() service to invoke a module in an authorized state and pass a PARM string of arbitrary length. So any AC(1) module in linklist (at least) could be attacked this way, and there is no shortage of them that are vulnerable. Has this been fixed in z/OS 1.4? It's not impossible that IBM pushed it back, with all it's required new infrastructure, but I doubt it. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
