Weenie jibe in FrontPage leaves MS web servers wide open
Unauthorised, employee-written back doors - whatever will they think of next?
Web servers running Microsoft Internet Information Server with FrontPage 98 extensions have a built-in back door, thanks to some code with abusive comments about Netscape that was inserted in the software by a Microsoft coder. Microsoft has acknowledged that the code can act as a back door password, making it a lot easier for hackers to gain unauthorised access. The code, in dvwssr.dll, is commented "Netscape engineers are weenies!" But considering the consequences of its discovery, that probably makes Microsoft engineers suicidal bozos. According to a story in today's Wall Street Journal, Microsoft acknowledges the existence of the hole and intends to issue an email bulletin and security alert, but at time of writing the company appeared not to have done so. It seems to be possible to fix the hole by simply deleting dvwssr.dll, but the delay in publishing the alert perhaps suggests that the code isn't entirely pointless. If it turns out to be, maybe Microsoft could publish us a list of any other useless DLLs it ships... Microsoft does, however, seem to be taking the issue seriously, and views the unauthorised insertion of the code as a sacking offence. But the fact that the offence was committed in the first place will raise further questions about the security of Microsoft's Web offerings, and make it even more difficult for the company to get sites to use them. You wait hours for a massive PR own-goal, then two come along on the same day... According to the WSJ, the hole was identified by security consultant 'Rain Forest Puppy' who was tipped off about it by a European employee of e-commerce software outfit ClientLogic Corp. Mr Puppy, who's been prominent in the exposure of previous IIS security problems, has emailed Microsoft warning that the hole could "improve a hacker's experience". The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k. ®
Sponsored: Network DDoS protection