IBM has not told me what the problem is, but I think I have a fairly good guess. Given what I have said earlier, I'm surprised that I'm saying this, but in this case the details of how to take advantage of this security hole is probably best left unstated. SMP is may not be the only program susceptible to this style of attack. Therefore closing the hole via SMP may not complete fix the problem.
Don Williams > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On > Behalf Of Binyamin Dissen > Sent: Tuesday, April 13, 2010 4:25 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition > required for any SMP/E use > > On Tue, 13 Apr 2010 16:12:19 -0400 Don Williams <donb...@gmail.com> > wrote: > > :>Sorry, SMP does not bypass security. The user has to be smart and > know what > :>to do, but no security is bypassed or violated. > > If the user cannot update the libraries, all that granting access to > these > resources is allowing the APPLY to abend with a S913 in place of being > rejected due to lack of permission. > > How does allowing access to the SMP functions allow "the potential to > undermine system security" > > --- wait for it --- > > "regardless of any data set protections you may have in place." > > ?? > > If I have all the libraries protected - how can SMP alter them? > > :>> -----Original Message----- > :>> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] > On > :>> Behalf Of Binyamin Dissen > :>> Sent: Tuesday, April 13, 2010 2:36 PM > :>> To: IBM-MAIN@bama.ua.edu > :>> Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class > definition > :>> required for any SMP/E use > > :>> On Tue, 13 Apr 2010 09:43:46 -0500 Walt Farrell > <wfarr...@us.ibm.com> > :>> wrote: > > :>> :>Users who are > :>> :>granted access to these resources have the potential to > :>> :>undermine system security regardless of any data set protections > :>> :>you may have in place. > > :>> Now that IS scary. It seems to imply that SMP bypasses data set > :>> security. > > -- > Binyamin Dissen <bdis...@dissensoftware.com> > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
