[Info-vax] DCL vulnerability write up on The Register
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Feb 7 13:38:09 EST 2018
On 2018-02-07 03:27:01 +0000, IanD said:
> Oh dear...
>
> This isn't going to win any OpenVMS friends or win over people who were
> fence sitting wondering if they should stay with the platform or move on
>
> Fair enough that an exploit was found, harsh that it's being exposed at
> a time when OpenVMS is trying to make a comeback
...
> The exploit was there for what, 30 years? Could not the security
> exploit release have have waited for another 6-8 months more (1.6% of
> the time it existed for!) until VSI rolled out x86 and given people a
> positive pathway forward?
Um, in what timeline is 2020 six to eight months out? And in what
universe is an installed base that still has VAX and Alpha systems in
use going to be entirely migrated over to x86-64 in anything less than
an aeon or three?
As for this case? VSI received a report. They duplicated it. They
fixed it. Quickly. They then notified their support customers. The
customers then decide whether to apply patches. That's what operating
system folks do. That's what customers do. This really is a positive.
Then the... Here's what we're doing... Here's how we take security
seriously.... Here's where we're headed with security... Etc.
There's a whole lot more work to go into security in OpenVMS, too.
ASLR/KASLR, no-execute, sandboxes, etc. But that security work will
have to fit in around the other work the end customers want and need,
and security-related enhancements will inevitably break compatibility
in some areas. And it'll require changes to how patches are deployed.
Etc. There'll inevitably be more security holes found. That's the
nature of complex software, this side of seL4. And given rowhammer and
other novel attacks, and some interesting-looking SGX-based malware
being presented in a month or so, quite possibly not even then.
The folks that are chanting "OpenVMS is secure!" aren't doing anybody
any good, either.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list