Feeds

Weenie jibe in FrontPage leaves MS web servers wide open

Unauthorised, employee-written back doors - whatever will they think of next?

  • alert
  • submit to reddit

Seven Steps to Software Security

Web servers running Microsoft Internet Information Server with FrontPage 98 extensions have a built-in back door, thanks to some code with abusive comments about Netscape that was inserted in the software by a Microsoft coder. Microsoft has acknowledged that the code can act as a back door password, making it a lot easier for hackers to gain unauthorised access. The code, in dvwssr.dll, is commented "Netscape engineers are weenies!" But considering the consequences of its discovery, that probably makes Microsoft engineers suicidal bozos. According to a story in today's Wall Street Journal, Microsoft acknowledges the existence of the hole and intends to issue an email bulletin and security alert, but at time of writing the company appeared not to have done so. It seems to be possible to fix the hole by simply deleting dvwssr.dll, but the delay in publishing the alert perhaps suggests that the code isn't entirely pointless. If it turns out to be, maybe Microsoft could publish us a list of any other useless DLLs it ships... Microsoft does, however, seem to be taking the issue seriously, and views the unauthorised insertion of the code as a sacking offence. But the fact that the offence was committed in the first place will raise further questions about the security of Microsoft's Web offerings, and make it even more difficult for the company to get sites to use them. You wait hours for a massive PR own-goal, then two come along on the same day... According to the WSJ, the hole was identified by security consultant 'Rain Forest Puppy' who was tipped off about it by a European employee of e-commerce software outfit ClientLogic Corp. Mr Puppy, who's been prominent in the exposure of previous IIS security problems, has emailed Microsoft warning that the hole could "improve a hacker's experience". The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k. ®

Boost IT visibility and business value

More from The Register

next story
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.