HP seems to have learned a lot of things about MPE lately.

Do you think it will make a ripple in the CERT or CIAC
bulletins?

Tracy Johnson
MSI Schaevitz Sensors


-----Original Message-----
From: Gavin Scott [mailto:[log in to unmask]]
Sent: Monday, March 12, 2001 5:05 PM
To: [log in to unmask]
Subject: Re: Sec. Vulnerability in MPE/ix's AIF


Security Alert writes:
>    A. Background
>       Hewlett-Packard Company has learned of a procedure by which
>       a user can get unauthorized access to user accounts and
>       databases using architected interface facility (AIF -
>       AIFCHANGELOGON) either directly or indirectly.

Curious.  AIFCHANGELOGON is a privileged routine, so I'm fuzzy on why this
is a big deal.  Assuming I can call AIFCHANGELOGON I can think of lots of
ways it could be used to override one or another common security mechanism,
but I would think that any privileged program that is using AIFCHANGELOGON
should be required to know what it's doing.

If someone writes a program that lets anyone AIFCHANGELOGON at will, then
they shouldn't be too surprised at the result.

I must assume that there was some particularly egregious and unintended
feature that was removed.

It will be interesting to see if the patch breaks anyone's code.

G.