[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sat Sep 24 14:44:42 EDT 2016 

[I added the hypothetical to the title line to avoid giving people
here a heart attack while browsing the newsgroup thread titles. :-)]

This is a hypothetical discussion prompted by Ian's discussion of
emulated VAX/Alpha environments and my ongoing concerns that VMS
on x86-64 will put it into the hands of a larger range of security
researchers who might discover new VMS security related bugs (and
maybe even new classes of VMS security bugs).

Scenario:

Suppose someone discovers a major security issue in VMS for IA64
or x86-64 and it turns out to be a common mode vulnerability that
causes VMS on all architectures (from VAX onwards) to be vulnerable.

Now suppose you have some of these vulnerable VAX or Alpha systems
in production use (maybe in an emulated environment so you can
continue to run them as-is without any hardware failure concerns).

Questions:

What would you do to tackle the problem that your old system, which
is long off software support, now has a major new potential security
hole in it ?

HP can't give you a patch for VAX and as I understand it, they won't
be able to give you one for Alpha from the end of this year. [*]

When you decided to continue running your old VAX and Alpha machines
in production, did you take steps to isolate them from the rest of
your network (just as any remaining Windows XP users should have done) ?

Did you also carry out a security assessment at the time to decide
what your exposure would be to any future VMS security issues ?

Or did you just think at the time: "This is VMS. I don't have to
worry about things like that." ?

[*] In order to make that statement, I am going by the table present
on this page:

http://h41379.www4.hpe.com/openvms/openvms_supportchart.html

and assuming that "MPS w/o SE" means that HP will not be able to
generate a new patch for the VMS version in question.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list