I alerted Computer Associates (CA) to a security hole in one of their VM products that let's any VM userid control a VM system that runs this product. CA wrote a fix. If your VM system's running this product without the fix then it has this security hole active now. The security hole is installed by default and there's no product installation step or configuration parameter that closes the hole.
CA and I have agreed to disagree on how well they alert their customers to the existence of security-related fixes for VM products. My question to all is would you rather CA labeled VM product fixes as security-related or not? Is security thru obscurity better? -------------------------------------------------------- This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.
