The Register® — Biting the hand that feeds IT

Feeds

Weenie jibe in FrontPage leaves MS web servers wide open

Unauthorised, employee-written back doors - whatever will they think of next?

By John Lettice, 14th April 2000
  • print
  • alert

Magic Quadrant for Enterprise Backup/Recovery

Web servers running Microsoft Internet Information Server with FrontPage 98 extensions have a built-in back door, thanks to some code with abusive comments about Netscape that was inserted in the software by a Microsoft coder. Microsoft has acknowledged that the code can act as a back door password, making it a lot easier for hackers to gain unauthorised access. The code, in dvwssr.dll, is commented "Netscape engineers are weenies!" But considering the consequences of its discovery, that probably makes Microsoft engineers suicidal bozos. According to a story in today's Wall Street Journal, Microsoft acknowledges the existence of the hole and intends to issue an email bulletin and security alert, but at time of writing the company appeared not to have done so. It seems to be possible to fix the hole by simply deleting dvwssr.dll, but the delay in publishing the alert perhaps suggests that the code isn't entirely pointless. If it turns out to be, maybe Microsoft could publish us a list of any other useless DLLs it ships... Microsoft does, however, seem to be taking the issue seriously, and views the unauthorised insertion of the code as a sacking offence. But the fact that the offence was committed in the first place will raise further questions about the security of Microsoft's Web offerings, and make it even more difficult for the company to get sites to use them. You wait hours for a massive PR own-goal, then two come along on the same day... According to the WSJ, the hole was identified by security consultant 'Rain Forest Puppy' who was tipped off about it by a European employee of e-commerce software outfit ClientLogic Corp. Mr Puppy, who's been prominent in the exposure of previous IIS security problems, has emailed Microsoft warning that the hole could "improve a hacker's experience". The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k. ®

Magic Quadrant for Enterprise Backup/Recovery

Send Corrections

More from The Register

Microsoft to open Windows Stores inside 600 Best Buy locations
Product showcases 'must be seen to be believed'
53
Author Iain (M) Banks falls to cancer at 59
Misses the release of his final work
97
breaking news
Online music world on iRadio: Apple, imagine our concern
*Sarcastic face*
55
What did the Lehman Brothers implosion look like to a techie?
Insider tells all about the Gnab Gib at Lehmans
34
It's official: 'tweet' an English word – not just in the avian sense
If the Oxford English Dictionary says it is so, then it is so
52
breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
16
breaking news
1-in-10 e-tomes 'are self-published'... most are 'rubbish' says book ed
Publishing man scoffs at go-it-alone writers, ursines still fouling in forests
50
breaking news
Vodafone puts in multi-billion euro bid for German cable giant
Achtung! Jetzt kommt ein Vodamaschine...
5
Facebook RSS reader said to uncloak June 20
Secret event scooped by Scottish developer?
11
Tech giants' offshore cash-stashing is only ever a delaying tactic
Someone always pays, sooner or later
68