Feeds

Weenie jibe in FrontPage leaves MS web servers wide open

Unauthorised, employee-written back doors - whatever will they think of next?

  • alert
  • submit to reddit

Intelligent flash storage arrays

Web servers running Microsoft Internet Information Server with FrontPage 98 extensions have a built-in back door, thanks to some code with abusive comments about Netscape that was inserted in the software by a Microsoft coder. Microsoft has acknowledged that the code can act as a back door password, making it a lot easier for hackers to gain unauthorised access. The code, in dvwssr.dll, is commented "Netscape engineers are weenies!" But considering the consequences of its discovery, that probably makes Microsoft engineers suicidal bozos. According to a story in today's Wall Street Journal, Microsoft acknowledges the existence of the hole and intends to issue an email bulletin and security alert, but at time of writing the company appeared not to have done so. It seems to be possible to fix the hole by simply deleting dvwssr.dll, but the delay in publishing the alert perhaps suggests that the code isn't entirely pointless. If it turns out to be, maybe Microsoft could publish us a list of any other useless DLLs it ships... Microsoft does, however, seem to be taking the issue seriously, and views the unauthorised insertion of the code as a sacking offence. But the fact that the offence was committed in the first place will raise further questions about the security of Microsoft's Web offerings, and make it even more difficult for the company to get sites to use them. You wait hours for a massive PR own-goal, then two come along on the same day... According to the WSJ, the hole was identified by security consultant 'Rain Forest Puppy' who was tipped off about it by a European employee of e-commerce software outfit ClientLogic Corp. Mr Puppy, who's been prominent in the exposure of previous IIS security problems, has emailed Microsoft warning that the hole could "improve a hacker's experience". The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
4chan outraged by Emma Watson nudie photo leak SCAM
In the immortal words of Shaggy, it wasn't me us ... amirite?
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.