Hello again All 3000-L: Since my forward last night of the HP Security Bulletin on the recently discovered security vulnerability in TurboIMAGE DBUTIL, I have already gotten a couple direct email requests from individual users that essentially ask: > > PROBLEM: Given a specific setup, users with ordinary > > database privileges can gain additional privileges.>> > > So how would a user do this? One of the people who asked I know personally as one of the "good guys" (if he wasn't being spoofed by someone on the Dark Side (unlikely I expect, but not impossible) ); the other name I don't recall ever seeing on 3000-L in all the years I have been actively reading this list. This is one of those cases where I think "security by obscurity" is actually quite good; and as a corollary if precise details on how to do it and the ramifications thereof are published to the world, the chances that malicious external hackers or disgruntled internal employees will try and exploit it go up by maybe two orders of magnitude. Lest some think I'm being overly paranoid, I would refer you to some of the Internet security experts (I'm not one of them), who could I expect tell many if not most of us scary bedtime stories about ingenious hackers and crackers; who do automated searches of well-known public discussion lists for key words like "security", etc.... and if they find something "interesting", immediately apply all their mental and machinery resources to try and exploit it. Therefore: I've decided that to avoid having to decide who to tell and who not to tell if I get a bunch of private email requests for all the details (and how to "validate" who is asking), I'm going to respectfully refer all questions on details to the HP RC. That way HP can decide how much of the beans they want to spill to those who have support contracts, if any.. No offense intended and I hope none taken by everyone who is quite legitimately wondering; Guess for right now I'll just try and say "trust me": It's something I would never have thought of. HP temporary work-around will cover it; and hopefully the patch will be up very soon (maybe a few days). Then people can get the patch and the whole thing will be moot.... I would go so far as to ask anyone who might independently discover this weakness to also refrain from publishing any details on any public list (see again the HP security bulletin). If anybody is unhappy or disagrees with any of my above, let me know.... But I'm of the opinion that since an immediate workaround is available and a permanent fix will be up "soon", broadcasting the exact details of how to exploit this would be a bad idea; and would *increase* the threat to many systems.... Ken Sletten SIGIMAGE Chair