Microsoft Security Flaw in Some Software

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Microsoft Engineers Placed Security Flaw in Some Software Updated 10:12 a.m. ET (1412 GMT) April 14, 2000

NEW YORK  Microsoft programmers slipped a secret password into the company's Internet server software that could allow illicit backdoor access to hundreds of thousands of Web sites  and possibly users' credit card numbers, The Wall Street Journal reported Friday.

The rogue computer code was discovered in a three-year-old piece of software by two security experts, the newspaper said. Contained within the code is a derisive comment aimed at a Microsoft rival: "Netscape engineers are weenies!"

Steve Lipner, who manages the company's security-response center, described such a password as "absolutely against our policy" and a firing offense for the as-yet unidentified employees.

There have been no reports of site access through the code, but the affected software is believed to be used by many Web sites.

The file, called "dvwssr.dll" is installed on Microsoft's Internet-server software with Frontpage 98 extensions. A hacker may be able to gain access to key Web site management files, which could in turn provide access to such things as customer credit card numbers, The Journal reported.

Microsoft urged customers to delete the file and planned to warn customers with an e-mail bulletin and an advisory published on its corporate Web site.

The code was apparently written by a Microsoft employee in 1997, near the peak of the battle between Netscape Communications Corp. and Microsoft over their versions of Internet-browser software, the newspaper reported.

Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider."

"It's a serious flaw," Mr. Cooper was quoted as saying by the Journal. "Chances are, you're going to find some major sites that still have it enabled."

Lipner said the problem doesn't affect Internet servers running Windows 2000, or the latest version of its server extensions included in Frontpage 2000.

The digital loophole initially was discovered by a Europe-based employee of ClientLogic Corp. of Nashville, Tenn., which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, a professional security consultant known as Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee.

When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, told the Journal it was a case of "classic engineer rivalry."

http://www.foxnews.com/vtech/041400/microsoft.sml

-- Martin Thompson (mthom1927@aol.com), April 14, 2000

Moderation questions? read the FAQ