On Wed, 12 Jul 2017 18:38:39 -0400, Tony Harminc wrote: >On 12 July 2017 at 12:21, Charles Mills wrote: > >> It's not the malware you know about that should worry you the most. The >> phrase "zero day exploit" comes to mind. > >With something as old as z/OS 1.4 it's not even just zero-days. There >are several well known gaping holes in z/OS that have been fixed by >IBM in recent releases. In many cases these fixes are quietly issued >as "security" with no detail, but in others it's virtually impossible >to describe changed behaviour necessitated by the fix without at the >same time giving away the vulnerability. For example (and discussed >here at some length), until recently it was possible for anyone to use >the UNIX execmvs() service to invoke a module in an authorized state >and pass a PARM string of arbitrary length. So any AC(1) module in >linklist (at least) could be attacked this way, and there is no >shortage of them that are vulnerable. Has this been fixed in z/OS 1.4? >It's not impossible that IBM pushed it back, with all it's required >new infrastructure, but I doubt it. > I think it was a philosophical blunder early in OS, to presume that a caller could always be relied on to validate arguments, so called programs largely didn't make the effort. "Trust in Allah, but tie your camel."
Worse, in my view, is that SMP/E has an integrity flaw, irreparable withour revoking facilities documented as supported. For this, IBM's recourse since 2010 has been to restrict use of SMP/E to programmers in a RACF-privileged class. At that time, IBM provided no details of the exposure. Subsequently, the SMP/E Ref. has provided a clearer explanation. IBM has always cautioned that in a CMS MDFS filemode *0 can not be trusted for security. Over 3 decades ago, the CMS Users guide reinforced the warning by providing details of the vulnerability. More recently, the warning remains but the details have been removed. This protects users too foolhardy to respect the caution from intruders too naive to exploit the flaw. I am not an advocate of security by obscurity. Publicizing a flaw is excellent incentive to upgrade. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
