Forgot your password?
typodupeerror
Microsoft

Microsoft Admits To Backdoor In IIS [updated] 236

Posted by timothy
from the but-open-source-cannot-be-trusted dept.
Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.
This discussion has been archived. No new comments can be posted.

Microsoft Admits To Backdoor In IIS

Comments Filter:
  • by Anonymous Coward
    I would recommend the installation of Apache server in lieu of IIS.

    Apache, on the Internet's World-Wide-Web network at hypertext transfer protocol site www.apache.org, is the world's most popular Internet server for World-Wide Web services. Internet Information Services, on the other hand, is not. I have published additional guides on the subject, which can be purchased for $19.95 each.
  • by Anonymous Coward
    linuxcodersareweenies
  • by Anonymous Coward
    We have all known about the back door for a while, but the date encoded in the URL is 2001 05 14. I can only presume that it's taken this long for Microsoft to admit to the backdoor. Admission is good. MS did the right thing, a year or so late!
  • by Anonymous Coward
    If you are an IT professional using Frontpage you should be fired. Everyone worth a bit knows that Frontpage is a toy that sucks. And you also don't install the InterDev extensions on production either. But this is shit about as interesting as Oracle's INTERNAL/SYSTEM login and password. I mean you have to be a professional.
  • by Anonymous Coward on Monday May 14, 2001 @11:16AM (#223297)
    because they're experienced at going down several times a night.
  • Code reviews on a team basis are one thing, as are the inevitable bugs that slip through the cracks in this environment.

    Backdoors which have been specifically placed there *by design*, as an implementation of corporate policy regarding control and access to 'fielded products', is another thing entirely.

    Your company - Microsoft - has a particularly bad habit when it comes to shifty, underhanded policies such as this backdoor situation, and therefore it's not unreasonable to expect that the community at large raise alarm torches when holes such as this are discovered.

    I don't disagree with you that security by peer review has its flaws.

    But then, so does Microsofts' aggressive predatory business practices.
  • That's amazing! I've got the same combination on my luggage.


    Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16
  • by tzanger (1575)

    So they gave us the DLL with the offending code. I've not looked to see how big the DLL is but wouldn't it be pretty straightforward to locate the backdoor password now?

  • The fact of the matter is that, short of releasing source code, there is no way that your customers can be sure that there aren't any backdoors. For example, it would be much easier for your Dev team to insert a method called PayEntireDevTeam() than for one member to insert the mythical PayTim() method. For Tim to get away with the insertion of his method he would have to be more clever than all of the reviewers. But if all of the auditors were in on the backdoor then there is no defense.

    I would like to think that Microsoft would be trustworthy on this account. But this is the same company that released a spreadsheet that doubled as a flight simulator. Quite frankly, I doubt that a whole lot of auditing actually occurs. And if you can convince a group of Microsoft employees that a flight simulator is an important feature of a spreadsheet, then inserting a backdoor should be child's play.

  • Neither Linux nor Apache has ever had a security problem that was intentional. This particular problem wasn't a bug, it was a backdoor. Some clever coder at Microsoft even used a joke password.

    At least with Linux or Apache there is some chance that someone else is going to catch something this idiotic. With Microsoft the problem apparently can remain unreported to the general public for years. Clearly there is a difference between some random buffer exploit and a backdoor that was specifically placed there by an employee and that was somehow "missed" in the code review.

  • I disagree. Open Source Peer Review relies on a voluntary effort. Throw the source up on FTP site, and hope someone reads it.

    Commercial software on the other hand frequently has frequent code reviews done internally. Other staff looking at code to fix it, or sometimes group code review sessions.

  • "Get your head out of the sand, please."

    Wow, I think maybe your tin foil hat needs some adjustment today.

  • Oh blather. You attribute to malice what is obviously explainable through incompetence. It would be pathetically illogical to believe there was a Microsoft conspiracy to introduce back doors to all their software.

    The problem with conspiracies is they fall apart the larger the group is who knows about it. Why just this week before Congress they are talking about Ted Olson's involvement in the vast right-wing conspiracy to discredit President Clinton.

    Everybody pretty much even knew that existed, but couldn't pin down who was involved. Well now the evidence is leaking out because of one disgruntled former magazine editor.

    And that was a conspiracy involving only a couple of dozen people.

    Microsoft has thousands of developers, on the other hand...

  • You should do a search on google.com for Aluminum Foil Deflector Beanie.

    I think you need a replacement.
  • That only works if the compiler can detect the routines which generate output. Given a new compiler or a significantly revised version of the compiler, this will not work. So, if I have two compilers, compiler A and B, I can use one to compile the other, and then compile the first one again, and I'll have a clean compiler.
  • Whoever you bought your product from. If I buy it from RH, they are responsible.

    With free software you get whatever you want. You want access to the source? You got it. You want to pay someone else to be held accountable? You got it. Anything is possible.
  • Recompile? But wait, can you trust the compiler? Ken Thompson says you can't [acm.org].
  • Okay, as much as I hate MS products and their lack of options, the revelation of this back door is NOT perfect.

    It means that there's a bunch of poor bastards out there who're going to get their systems trashed because they believed in Microsoft.

    Yes. This may be a wicked little ego boost to the mindless OSS boosters. But to everyone else, it's a pain in the ass and potentially VERY damaging to some people's sites/businesses.

    So gloating to the point of calling this "perfect" is WAY off-base. And, frankly, I'd expected a little more from you guys.


    Chas - The one, the only.
    THANK GOD!!!

  • So.. Are Netscape engineers STILL Weenies?

    Well, unemployed weenies I guess...

  • All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:

    Security.

    While I can see the theoretical, practically this is not true [earthweb.com]. In practical terms almost no one actually analyzes the source with any intensity apart from the people who are the primary programmers (hence the ones who would likely be planting the backdoors). I do CVSups on my FreeBSD [freebsd.org] fairly frequently and I'm basically entrusting that machine absolutely and entirely to the FreeBSD CVS controllers (which of course means if they were compromised I'd be ownzed). I'd wager >99.5% of open source users are exactly the same way: You presume that because the source is available there are tonnes of selfless individuals busily auditing it, but the reality is quite different.

    The simple reality is that most current software projects are HUGE and there simply isn't enough time in a lifetime for each of us to analyze all of the code we run with anything more than a cursory glance. And if anyone thinks they'll scan through and see

    // Embed backdoor
    if (strcmp(password,"REDHAT")==0) {
    &nbsp &nbsp &nbsp iPriority=1000;
    }
    then they have a enormously naive impression of how a backdoor would be embedded in code subtly. For all you know a number of the software products you are running might be waiting for a magic byte string to come along when it bows to its real master.

  • While this is true, ther eis an advantage of open source. That advantage is that anyone can look at the source to find backdoors. Basically that you have the source and can search for user names and passwords. In closed source you do not have this option and you MUST rely on the vendor to provide you this information.

    Question: How long do you think that Microsoft REALLY knew about this back door?

    Question:How many systems have they accessed or could they have had acess to because of this?

    While I agree that noone may have looked at all the source, I think it is a little more difficult for things like this to happen with open source.

    As far as kernel patches go I think Linus does look at the patches as well they are usually reviewed by other developers and it is not a matter of here take my word. Besides you don't usually put usernames and passwords in the kernel you put them in other software.

    Apache probably watches out for back doors pretty closely I'd imagine or at least hope.

    I don't want a lot, I just want it all!
    Flame away, I have a hose!

  • On the contrary, that's the first time that link's been on-topic in quite a while.

    Caution: contents may be quarrelsome and meticulous!

  • I'm not sure why they insisted on removing that kind of comment. It's lots of work, and though the comment isn't ideally informative, it's sure better than no comment at all.

    Perhaps many of their coders were under 18, and wouldnt' be allowed to look at the code?

    Caution: Now approaching the (technological) singularity.
  • Really. I've never seen that picture, just the one after Bill has left. [goatse.cx]

    --
  • You misunderstand Ken Thompson. In fact, he's proving the point about Microsoft's closed software. He is pointing out that you cannot trust one source for all of your software. The compiler and the telnet daemon were both written by the same person, and he put in the back door in both.

    MS selling you the OS, the compiler, the web server, the mail server, the database, the office applications...it's a very dangerous situation if your company takes its privacy seriously. Combine that with Microsoft Passport and Hailstorm and you'd have to be either psychotic or stupid (possibly both) to use .NET.

    -jon

  • I take it you are being dense on purpose.

    The problem with using Passport and Hailstorm on top of using IIS, NT/2000, SQL Server, Exchange, Word/Excell, MSC++, etc. is that you don't know what back doors there are in these apps. They are all getting more and more integrated together. Do you packet-sniff your lines? Are you sure what data is being sent where? Do you know what extra code is being placed in your code by MS' C++ compiler?

    I'm not saying there are back doors, or even that MS _as a company_ wants to do that. But there are 30,000+ Microsoft employees. All it takes is a couple of programmers in a couple of different departments, working together to put in a set of related trojans. With millions of lines of code, they'll probably slip through code reviews. Heck, with some misleading comments in the code, they'd pass through a code review pretty easily.

    How much effort would it be for someone to add code to Excel to automatically email any document which has the words "Payroll Report" in it? Cross-reference the names with people who have Microsoft Passport accounts. Maybe we can find some direct deposit records and have those automagically sent off. I could probably get a fairly complete picture of all information about you, to use as I see fit.

    Paranoid? Maybe. But it only takes a couple of rogue programmers.

    -jon

  • On the older topic the issue of Q&A procedures came up.
    A lot of people see open source as being so great becouse you can fix the bugs when the software breaks.
    The objective of Q&A is to fix the bugs so when you get the product it is already working.
    If the code is writen correctly Q&A can do it's job..
    A point was made (in a very crude way) that poorly writen open source isn't going to be easyer to fix under "many eyes". Weak fradual code is going to break no matter what system you use to fix it. Making ANY changes breaks the code.

    I should now mention one of the OTHER advantages of open source...

    In reality there is only one thing you CAN do with poorly writen code... toss it...
    But when you invest $100 to $1,000 into software you are stuck with it.
    Having spent no money on the software you downloaded and installed you can throw it away.
    I'm sure a lot of open source develupers would prefer you didn't consider this option but it is valuable to know that you are not stuck with it before you get a chance to try it out.
    (This is the whole guiding idea behind shareware.. Try before you buy. Freeware has this same advantage. Actually you have this advantage with video games in some cases if the store carrys a console with the games running)

    So in short bad products that are byond repair can be disposed of in open source.
    Now it would be munch nicer if coders would just not make crap code to start with. Open source dosn't prevent it any more than closed. It's just easyer to dispose of.
  • Oh, as a programmer I realize Open Source also means Tons Of Code to Worry About. However, it still presents an advantage over Closed Source in that there is the opportunity to look through the code and the opportunity to adapt the code, and a different developmental mindset.

    Not a perfect deterrent to potential abusers, but at least one that is there. Hey, I'll take what I can get.

  • by Badgerman (19207) on Monday May 14, 2001 @11:14AM (#223339)
    All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:

    Security.

    Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.

    Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.

    Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.

  • Sorry I'm a fanatic, but "Closed Source" sounds so harmless.

    Please say "Proprietary Software" as it whould be....

    Hugo
  • by SEWilco (27983) on Monday May 14, 2001 @12:31PM (#223345) Journal
    Actually, the URL of the Yahoo article includes "20010514". Today's date is 2001/05/14. Apparently it's new news at Yahoo.

    The only date in the article or within the HTML is "Last Thursday", the same phrasing in the 2000/04/14 WSJ article. Microsoft's information is within this modified security bulletin [microsoft.com].



  • Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature")


    If you understood directories and group policies, you would understand why this is so. Of course, most people "happy to run Linux" don't get the purpose of directories (NDS, ADS or otherwise) to control and organize information within a company.

    ÕÕ


    I tried not to act like a zelot when I posted the message. I'll admit to being rather distrustful of MS, but I also included a link to their take on the issue, as well as a comment that they'd already provided both a workaround and a patch.

    Okay, I'll admit I probably don't understand the idea of Directories and Group policies that well. I am mostly a normal user. I've been forced to do some system administration (NT/Unix) for my group due to both Budget constraints and available personel.

    What I got out of the MS announcement was that Group policies over-rode system configuration settings. To me this seems like a bad idea sinse it doesn't allow a system level granularity to shut things off (unless I missunderstood).

    Please, instead of just brushing off my comment as "You must know nothing", enlighten me. I'm actually curious and will readily accept both new knowledge, and new insight to old knowledge.
  • From "The Big Guy and Rusty the Boy Robot" (ran out of room in the quote limit) From a Corporate head to the lead scientist as Rusty charges huge alien and gets squished (again). :)
  • It could fix things, I just don't think anyone would really notice, or pay much attention.

    Although one could define installing Linux unasked malicious (I would even though I use Linux), and generating SPAM, or portscanning systems could be construed as malicious, I suppose the virus doesn't have to be.

    Okay. I'll take the challenge (of design if not implimentation :).

    For a virus to be non-malicious and still raise public awareness enough it would have to propogate itself (unchanged), but instead of wiping the targets hard-drive, or removing files, etc. it could generate a list of known vulnerabilities (as best as it can), that the target's system is vulnerable to, and e-mails it (or sets it up to run on reboot in the autoexec.bat and then after reading that doc, you can continue to standard bootup). This would 1) show people they are vulnerable, 2) detail (to some extent) they are vulnerable, 3) its non-malicious nature might allow it to propigate by "benign" distribution (as a security tool). I could see one person saying, "Hey, let me send you this file, it lists all the problems on your system". Avoiding the need to work on anything more.

    Hmmm you make me wonder if instead of a virus the answer might lie in a Free/OSS P.H.D. Windows Security Audit Tool (phd = Push Here Dummy).

    I'm not aware of one but I'm going to start looking. If it was "Cool" enough people would distribute it like they do other "Flash Programs" (not suggesting writing it in flash, just an example).
  • by powerlord (28156) on Monday May 14, 2001 @12:28PM (#223349) Journal
    I hate to say it, but what it will take is something truly vindictive. A worm on the scale of the ILOVEYOU virus, but with a truly destructive payload. The ILOVEYOU virus wasn't that destructive to most people. It targeted MP3s, and several Media files. Neat, okay. But it still left your computer usable.

    Imagine a virus on this scale that does the following:

    1) replicate itself through either e-mail attachment, or by forwarding a random encoded name (cut/paste algorythm from mailbox? past message with a "I'm not sure I sent you this" + Subject, replacing a link within the message for a poisened website/ftp site.

    2) wipe all network attached drives

    3) enter commands in the registries "RunOnce" section to remove the system files on the next reboot (these can only be done prior to their being loaded, otherwise the system tends to be persnickety about it). Don't forget things like the CMD/COMMAND shell.

    4) (optional) attempt a remote access/infect of all machines within a given IP range (defined by SubnetMask?).

    5) If you are using step 4 then move step 1 to here so recently hacked/poisoned web/ftp sites can be inserted into mail message preventing stagnation of link. For extra credit have the virus self-modify to include a running list of where its been (or what sites its tried to help cut down on duplicated effort. Short run log might also help trace back to source so the IP addresses should be normalized/sorted, not appended to the end. This will also help in updating the list as the worm moves).

    6) You've done all the mischief you can. Now reboot the system to truly FSCK the end user.

    This is just a broad outline, but seriously.
    If this sort of thing happened, the results would be two-fold.

    1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault.

    2) Less Likely: (but wishful) People might realize how security is iterative and valuable. It is much more tangeble than the social contract most of us assume it to be. We figure, "we're not worth it", or , "who would bother me?" and joke about security, but your average end user doesn't really care (ask the same person about 'air-bags' and see how much they do care if they feel vulnerable).

    With the days of standard, High speed access in the homes, the scenario I outlined above is all to real and all too close to happening.

    I guess this probably won't make much of a difference in MSFT server sales... unless the payloads are consistantly delivered via an MSFT server (or else the virus specifically targets MSFT servers by using some central warehouse of net accessable MSFT servers, like say netcraft).

    P.S. I do not encourage AT ALL making the above virus. I think it would be a mallicious piece of garbage and would be the first on line to string the writer up by their anatomy. On the other hand I doubt I'm the first to think of this sort of thing so I have only slight quams about writing it down (the more who are concerned about it, the less likely it will come to pass), and there would (still) be major technical obsticles to be overcome, for a virus of this type to be created and released.
  • by powerlord (28156) on Monday May 14, 2001 @11:30AM (#223350) Journal
    Judging by the content (sparse that it is) " Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software", it seems like this might just be a rehash of the old NetscapeEngineersSuck (reversed) (or whatever the string actually was).

    While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).

    On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC [ciac.org]) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else :) in an ISAPI extension for submitting/controling print jobs via HTTP that is enabled by default.

    In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here [microsoft.com]. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.

    One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?

    Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.

    Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.

    Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.

  • by Tony-A (29931)
    Yeah. Funny. If you find it in time.
    How much of closed source is never looked at again?
  • There's no date on the Yahoo article. It's probably talking about this:

    http://slashdot.org/articles/00/04/14/0619206.shtm l [slashdot.org]

    The end result was that there was no backdoor.
  • And what's worst: they don't have a single backdoor, they have a whole backoffice!

    With an unknown number of "back doors" in. There might also be some rotten "easter eggs" in their too...
  • what, you think that MS would come out and say "yep well, you caught us, sorry about that... hope you dont find the other ones... i mean... uh... this is against our policy, we had no idea it was in there, it was a rogue developer"

    yeh...

    and i've got some wonderful swamp land in florida. Act now, and i'll throw in a bridge in Brooklyn...


    tagline

  • CmdrTaco will implement a filter which uses advanced nerual net filtering
    That alone would be funny enough to stick around for.

    Oh, there are no masters in the field of psychology, only students. Study neurobiology and start reverse engineering the brain, you'll get there faster than an infinite army of Freudian navel-gazers.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • by MadAhab (40080) <slasher@aha[ ]om ['b.c' in gap]> on Monday May 14, 2001 @11:49AM (#223357) Homepage Journal
    Funny. But stupid. If someone can get in with a backdoor password, how are you supposed to keep anyone out?

    The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • Always grep for "FIXME" before releasing.
  • First thing to my mind was someone has re-discovered "!seineew era sreenigne epacsteN" all over again. The lack of a date stamp leads me to believe someone has hoaxed the slashdot submission queue (again). There is also something fishy about that http://smallbusiness.yahoo.com/entrepreneur.html URL, there's nothing under that tree except the standard banner/skyscraper ads.

    The only other reasonable assumption is that M$ has finally admitted, 13 months after the shitstorm, that they did indeed have an exploitable backdoor in IIS. The last statements I heard, during the shitstorm of april 2000, was that the string existed but couldn't lead to any compromise. Perhaps M$ has now tortured a confession out of the engineers and realised there is a backdoor. But the mention of dvwssr.dll ties this into last years fiasco.

    Most likely is that this is a glitch story accidentally reposted by a yahoo editor. Only time, and maybe a slashback, will tell.

    the AC
  • Through the net it's easier to have "code reviews" because any body can review somebody else's code without having ever to meet that person face to face, and many times without even corresponding directly with them. Having a "physical" code review on the other hand, has the effect of putting people on their guard, and inhibiting critiques they might otherwise have.

    I wonder how to solve this. Perhaps make a "game" of code reviews...people who contribute get "points"...or other people can "vote up" contributions. Perhaps something like this. This way, ego sort of gets put on the shelf, because you're not really attacking the person sitting opposite of you, you're just "gaining points". I don't know if this would work in reality...but code reviews are almost universally dreaded, even though they should probably be practiced much more often.
  • One day i will follow my dream of becoming a master in the field of psycology, and then, between meaningful activities i'll sit down and write a theory on how the collective open-source mind of slashdot operates. and somehow, i think the results of the personality breakdown will be similar to what you just posted.

    I calculate about another 2 years until slashdot degrades to the point where a empty story will be posted stating "Microsoft Sucks". CmdrTaco will implement a filter which uses advanced nerual net filtering to decide if a post is pro microsoft, and the post will immediately get rated at the new, (-5, idiot) level. Any pro-linux post will get +5. Truly insightful posters will move onto some new forum. Of course, the trolls will split into two groups, both somehow equally as annoying as before. Shortly thereafter, a singularity will form above RedHat's HQ and suck in all things open-source, As Bob Young rips off his face mask (a-la MI:2) to reveal... Bill Gates.

    To quote the book of Sith, passage 30:23, "And the dark lord sayeth, Strike out at me, and become me, for truely I am thyself, with a more menacing outfit."
  • Well its too late for my friend Daniel. He is running 2000 with IIS and his site [danielhankins.net] was already hacked. A reactive position like Micrsofts is not a very good solution. Yes, Daniel should have been running Apache on Linux (like me) and since this was a personal site he didn't loose too much, but backdoor passwords are simply retarded in this day and age. Microsoft should know better.

    JOhn
  • by konstant (63560) on Monday May 14, 2001 @11:16AM (#223372)
    For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.

    Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.

    Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.

    -konstant
    Yes! We are all individuals! I'm not!
  • by joq (63625) on Monday May 14, 2001 @11:39AM (#223373) Homepage Journal
    Analysis By People We Trust II: Bruce Schneier

    from: sci.crypt
    subject: NSA and MS windows

    A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.

    Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
    expect out of Microsoft.

    Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
    can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

    I don't buy it.

    First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.

    Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
    compromise security.

    Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
    with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

    I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

    Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

    But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.


  • by z4ce (67861) on Monday May 14, 2001 @11:38AM (#223376)
    Which last Thursday would that be? This [saclug.org] last Thursday? How about this [zdnet.com] last Thursday? Nice one yahoo... post [yahoo.com] an article from April 2000 in May 2001. I bet microsoft will be angry as heck. And they deserve to be, this seems like plain libel to me.
  • by phutureboy (70690) on Monday May 14, 2001 @11:32AM (#223378) Homepage
    Actually, the story's URL contains the string "articles/20010514/microsoft_ackno" which suggests that the article is from today, 2001-05-14.

    I couldn't find a link to it on the main story index though.

    --
  • by scoove (71173) on Monday May 14, 2001 @11:36AM (#223379)
    Gosh, where could they have come up with a name like dvwssr.dll?


    MEMORANDUM
    TO: BILL GATES
    FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
    OPERATING SYSTEM REMOTE CONTROL TEAM

    Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.

    DIR. SECRET SERVICE

    p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.


  • by scoove (71173) on Monday May 14, 2001 @11:55AM (#223380)
    we bring you this previously secret Microsoft response to the Secret Service's request:


    MEMORANDUM
    TO: BRIAN STAFFORD
    FR: STEVE

    Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.

    Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.

    Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.

    Give me a call sometime!

    The Big Ball


  • It's humorous how pathetic the technical reporting is on the Yahoo/CNET/WSJ/NYTIMES/etc. These guys need to stick to the "just the facts" reporting instead of their "editorial" deductions.
  • One of the benefits of open source is that it allows the world to review the code. You need to have code reviews so that one person by intent or mistake can't royally screw things up.

    Call me nieve, but I don't think that Microsoft is stupid enough to purposely put in a back door. Even if "security experts" outside the company never find it, secrets like backdoors have a way of comming out. This is likely the act of mone or two very foolish MS employees who if they still worked there when this came out, got fired over it.

    Code reviews are especially improtant with closed source, but all projects need them. We got behind schedule on the last project I was in charge of, and I put off the code reviews to try and get the software done. It was a BIG MISTAKE on my part. Now some of those people have left the company, and I'm left supporting poorly designed, hastily written code. What's worse is the one person who left had great confidence in himself, so he tested very little of his code. Needles to say, the product ended up being later and of lower quality because the time wasn't spent doing it right the first time.
  • by quigonn (80360) on Monday May 14, 2001 @11:39AM (#223384) Homepage
    And what's worst: they don't have a single backdoor, they have a whole backoffice!
  • by stevens (84346) on Monday May 14, 2001 @11:17AM (#223387) Homepage

    ...but the reaction to it will surprise me. I expect it, and it will still surprise me: I predict this makes absolutely no dent in MSFT server sales.

    You see, I think that most of the people who could learn from this sort of thing have already learned several times over.

    I don't know what sort of catastrophe it will take for the rest of these people to learn...

  • Someone please moderate this asswipe to some nether region - this is a goatse.cx link.

    --
  • What makes you think I didn't check first? Just because I didn't actually see the nasty picture is no reason not to get some karma subtracted from a slimeball like you. I can't believe you actually accumulated enough to post at 2 - how did that happen?

    --
  • Boy, aren't you one to judge, after looking at a single post.

    He (You?) linked to goatsex, therefore he is (you are?) a slimeball. Only one post needed for that. Simple enough for you?

    --
  • Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature")

    If you understood directories and group policies, you would understand why this is so. Of course, most people "happy to run Linux" don't get the purpose of directories (NDS, ADS or otherwise) to control and organize information within a company.

    ÕÕ

  • by Greyfox (87712) on Monday May 14, 2001 @12:37PM (#223393) Homepage Journal
    Well then he should sue them. After all, when you're dealing with a commercial company, you actually have someone to sue, unlike open source software. Isn't that right?

    God I'd like to put a bullet in the head of that particular piece of FUD once and for all...

  • by SlaterSan (91405) on Monday May 14, 2001 @12:03PM (#223397) Homepage
    And now it's been slashdotted too .
  • by BierGuzzl (92635) on Monday May 14, 2001 @11:41AM (#223398)
    What we all should _really_ be amazed about is that Microsoft is actually getting around to admitting to this. An IIS backdoor is really not that surprising of a thing on it's own. The only difference between a regular IIS bug and a IIS backdoor is that one was put there on purpose and the other was left there through carelessness.
  • by BierGuzzl (92635) on Monday May 14, 2001 @11:05AM (#223399)
    I'm guessing that we mean before it's inserted into the cdrom drive.
  • U$oft spin doctors

    How does Microsoft's PR people pull this off? The article attempts to
    shift the blame by pointing that out the code was "written during the
    dispute between Netscape and Microsoft over their versions of
    Internet-browser software." When other companies have software holes
    found, the media holds the manufacture firmly and ultimately
    responsible, even if it was a disgruntled employee. But with when
    talking about this Microsoft hole, the article goes way out of it's way
    to make hints at subtle this dubious detail in an apparent attempt to
    shift the blame. Sure, it COULD have had something to do with the
    browser wars. But it could have just as easily been general
    anti-Microsoft sentiment. Or someone putting it in for their own
    personal gain. Or someone just being a smart ass. Again, when other
    companies have security breaches, no one goes "Awww, poor foobar.com,
    you're bugs are okay because people are picking on you". No, they rip
    the company a new ass hole and their stock takes a dive.
  • Sure, it's big news that they've admitted to it, but will anything really change? As someone has already noted, this is actually a story from back in April. There has been no outburst so far(except for the Anti-Microsoft-But-I-Don't-Know-Why people who will soon flood this thread).

    The world is too dependent on Microsoft, and Microsoft is too good at lying for this to really make any difference. If they did indeed put it in on purpose, all they have to say is that the programmers did it on their own and they had nothing to do with it... and only those programmers had access, so it doesn't really mean much. See how easy that is? Now imagine professional lawyers going over that and making it sound as confusing and convincing as possible.

    This is not the end of Microsoft. Not even close. Their attitude about it is probably, "'Eh, whatever. Shit happens." They're still going to continue to rake in the dough, and the world will continue on like nothing has happened.

    The only difference is that the Anti-MS crew has more anti-MS ammunition now (not that anyone will really listen to them about it, though.)

    -- Dr. Eldarion --
  • "You attribute to malice what is obviously explainable through incompetence."

    M$ would prefer you to attribute to lack of malice what is obviously explainable through incompetence.
    There are no more backdoors, but only because M$'s backdoor routines are buggy.
  • by rjamestaylor (117847) <rjamestaylor@gmail.com> on Monday May 14, 2001 @11:10AM (#223410) Journal
    This is really old news [zdnet.com], as well as misleading. A curse on Yahoo Small Business for not including a time/date stamp on their story. See this Google search [google.com] for more info.
    --
  • Microsoft has been bending people over and 'entering through a backdoor' for years now...

  • Moderate replies to this question as 5:Informative.
  • Sue the vendor? Good luck.

    I'm very tired of hearing this argument. It is the same argument as "no one ever got fired over buying IBM". If you feel good over the ability to sue, fine, it'll make you sleep better. But I've learned to sleep well by shrugging off the repeated experience of getting screwed over by vendors who just had a better lawyer than I did when the contracts were reviewed.

    And that's with vendors where you can actually negociate a contract. Microsofts market dominance means it will get away with not negociating a contract. Take the EULA or leave it.

    Besides, for a successful suit you'd need to prove something like gross negligence or criminal intent. I think the chance of proving that is slim in the case of this backdoor, and that they would probably walk away with a court order mandating half off upgrades to all affected users.

  • Take a look at what Bugtraq's owner had to say at the time

    The message you quoted is in fact from the NTBugtraq moderator (who IMO deserves considerably less credibility). The two lists are entirely independent.

  • The article notes: "Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software."

    So they put the code in there to...what? Check up on servers to see if they were running non-M$ extensions or packages? It just sounds a little odd to put a back door into a webserver for reasons of a dispute.


    --

  • The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc.

    I don't know. I'd like to think that if this particular piece of code really was peer-reviewed, then it would have been caught before release.

    But I agree that it is not isolated to M$. I have yet to work at a place that really understands how code reviews are supposed to work. Too often, managers say "do a code review", without understanding that it takes more manpower than the overworked coder one cube over to do a proper code review.

    IMO, the release of the backdoor wasn't a defect -- it was a foul-up, and a stupid one at that. While I'm sure that there was a good reason to have a back door during development and testing, the coder should have ensured that this wouldn't get put into a release build of the product, and therefore put the approprate compiler/linker flags in the build so that it didn't. But, when you're talking about a large company where developers are rushing half-baked stuff out the door to meet whatever deadlines the resident PHBs dream up, these kinds of mistakes are going to happen.

  • Hey, "asswipe," why don't you check your links first before being a knee-jerk Slashbot and clicking them? Maybe you would be less surprised next time. Or maybe you checked it and WANTED to see gaping asshole. THAT wouldn't surprise me in the least.

    It's not like I was trying to disguise it as something else... and if you read the parent comment, anyone who's been on Slashdot for a fairly long time should know what it will lead to. So lighten up.


    --

  • by VSarkiss (173815) on Monday May 14, 2001 @11:18AM (#223435)
    Does anyone khow who the "two security experts" are that the article refers to? Where they work, how they found it, etc.?

    I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.

    Search: microsoft iis security hole
    Search returned 745 documents
  • You know, for some reason I suspect that the new backdoor password contains the strings "taH deR" and seineew [evangel.edu].

    --

  • Quick notes: I'm installing Server, not advanced. As with any install, you go check for updates, well, for 2000 Server, since June 6/2000, there are 31 critical updates for Windows 2000 Server, not including SP1. That's a little less than 1 per week. I'm going to be spending the rest of the day patching!

    This is what passes for secure these days?

  • by Alien54 (180860)
    Of Course, We should all trust Micorosft. Microsoft knows the value of customer trust.

    Except, of course, when they make a mistake, or mis-speak, or omit certain details, or just out right lie.

    Doesn't that seem to be happening uncomfortably often?

    It is one thing to get control of a market by various hardball marketing tactics.

    It is another to gain a market because of trust.

    Check out the Vinny the Vampire [eplugz.com] comic strip

  • by DeadVulcan (182139) <dead.vulcan@NospaM.pobox.com> on Monday May 14, 2001 @11:18AM (#223446)

    Now, let's be fair. If you don't care about the open/free software philosophy (and just for the record, I do), and security is really the only thing we're arguing here, then the real questions are: when was this backdoor introduced, when was it discovered, and how soon will there be a patch?

    The article mentions nothing in this regard, and doesn't warrant the comment, "Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet."

    I can't see how this incident favours one side of the argument over the other, until we have more information about the circumstances.

    --

  • by mizhi (186984) on Monday May 14, 2001 @11:05AM (#223447) Homepage

    Is not the security hole... we all know M$ considers security matters a complete joke. People are at their mercy as to when to release fixes, if at all.

    What raises a red flag with me is that the wording of the article indicates the password backdoor was put there intentionally... and we're supposed to trust M$ with our valuable and oftentimes, priceless data?

    "Against our policy"... right. To hell with them.
  • I'm a CISSP [isc2.org] and I have been bound to an ethical agreement that I cannot perform any illegal or shady activities in the computer industry. My concern is, that Microsoft and other companies seem to be bound by no such agreements either by their own internal policies or by their customers. Isn't it about time that Microsoft was made to be responsible for their security?? Shouldn't customers demain some kind of responsibility from Microsoft and others?
    Deven Phillips, CISSP
    Network Architect
    Viata Online, Inc.
  • by Hairy_Potter (219096) on Monday May 14, 2001 @11:00AM (#223458) Homepage
    boy, this screams for a disgusting trollish gif or jpeg, but for the life of me I can't think of one.
  • by rabtech (223758) on Monday May 14, 2001 @12:59PM (#223460) Homepage
    This is the same old "Netscape Engineers suck!" backwards-text thing that was hashed (and rehashed) quite some time ago. It turns out that the string is just junk text in the file. It isn't a password, backdoor, or anything else.

    Take a look at what Bugtraq's owner had to say at the time (Bugtraq originally reported this issue.)

    It seems that someone testing the box entered the string and got into the Frontpage web w/ no password.... as it is pointed out below, that is because the security on the box wasn't set properly.... they could have typed in "MicrosoftSucks!" and gotten in.

    ======= BEGIN MESSAGE =========

    Ok, here's a breaking update.

    Latest reports say that there is

    NO VULNERABILITY IN DVWSSR.DLL

    Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.

    Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).

    MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).

    Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...

    In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.

    That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the .dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.

    From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).

    I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.

    This info may change again before its finalized. It may well be that there is some way to use this .dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)

    Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.

    ===== END MESSAGE ======

    -------
    -- russ

    "You want people to think logically? ACK! Turn in your UID, you traitor!"
  • I'd guarantee you that as usual, Apple Macintoshes would not be affected.

    --
  • Don't you love this modern age of zero-liability software producers? Have you read some of the newer software licenses? Some of these licenses would basically allow the software firm to sell you a virus and be unassailable in court. And M$ pioneered this sort of license. I don't think any suit against Microsoft based on functionality or truth in advertising has a snowball's chance in hell of getting through.

    -Kasreyn

  • I work for one of the largest computer/technology companies in the world. When I suggest that we move just OUR servers (my team/division) to something like Apache, you should hear the crap I get. My manager dismisses it out of hand, an why? Because no one can buck corporate policy. Or no one will. Until People stop being scared of better alternatives just because it's "not what we use" then these problems will continue. So sad.
  • by AlgUSF (238240) on Monday May 14, 2001 @12:28PM (#223464) Homepage
    I wouldn't be suprised if when Bill Gates clicks on his network neighborhood icon, every windows machine on the internet comes up with full access... :-)

    I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.



  • by iCharles (242580) on Monday May 14, 2001 @12:01PM (#223467) Homepage
    OK, let's say I use open source. How do I know there isn't a back door? I could, if I had the expertise and the time, go through every line of code, and verify that none of the 69,000 developers working on it didn't put a backdoor in. I dare say in most situations, that is impractical. It means that even the smallest installation requires someone with some knowledge of OS development and C code.

    With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

  • by valentyn (248783) on Monday May 14, 2001 @12:23PM (#223469) Homepage
    There is a date/time stamp on the Yahoo story, and it's just what it looks like: May 14, 2001. The Slashdot crew is not to blame here: Yahoo! Small Business, Technology section [yahoo.com] made it a feature today. The link to entrepreneur.com that Yahoo has, has no references to this story. It seems Yahoo! is at fault here.

    V.

  • by imipak (254310) on Monday May 14, 2001 @12:39PM (#223479) Journal
    code horror stories... I once reviewed code written by a co-worker who left a couple of months before. Got to the credit card validation routines:


    # FIXME: can't test on dev server, assume works for now
    return 1; # cc validation goes here...

    The site was less than a week from going live when we found that.
    --

  • by kbeast (255013) on Monday May 14, 2001 @11:28AM (#223481)
    Thats wierd, I saw this listed as an easter egg that when you enter the correct password, it displays a jpg of Bill Gates with his fist up my ass.

    .kb
  • Well, lets see - I see the need for a riddle :). It ran on a dual processor system - not SMP, but active/inactive for redundancy. Its main processor (at the time) was the same processor using in pre PPC Macs. It was all written in a proprietary heavily typed language based off Pascal, and these systems were used by millions of people everyday all over the world. It handled thousands of 'transactions' a second.

    --

  • by baptiste (256004) <mike&baptiste,us> on Monday May 14, 2001 @11:32AM (#223484) Homepage Journal
    Now I can bash Micro$oft with the best of them, but in their defense...

    The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc. This is not isolated to Microsoft. That's why OSS is so nice - anyone can look for and find backdoors to fix them.

    When you are talking about tens of millions of lines of code, its impossible to find stuff like this unless you spend a LOT of time looking for it. IN my previous life I worked for a company whose flagship software was about 25 million lines of code. I'll never forget when they decided to give the source to select customers who signed NDA's. They spent MONTHS looking for backdoors and inappropriate comments like:

    // If we get here we are REALLY f**ked

    It was amazing how much stuff they found (mostly in the comment catagory) and how long it took to find it all in a code base that large.

    --

  • Here is an analysis compiled by BindView RAZOR Team, including detection of the DLL on a remote host, decompilation of the file itself, and vulnerability risk assesments.

    Analysis of DVWSSR.DLL Risks



    Risks Uncovered:

    The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used.

    1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage 98, you have the vulnerable dvwssr.dll loaded.

    2. To run the dll remotely you need to have read access to the dll. This is not assigned by default. Typically on systems with multiple virtual hosts the administrator could have stuck everyone with a virtual host on the system into a group and given that group access to the dll. This would imply that any virtual host maintainer could look at other hosts' files. Obviously a misconfigured host might allow anonymous access, but this would require purposeful actions by the administrator for this to exist.

    3. The files in question are asp files. This dll gives you the ability to read asp source, so it is possible that hardcoded user names and passwords to backend systems may be viewed. This is essentially the risk that Rain Forest Puppy found.

    4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9 in the DLL is an unchecked lstrcpy. By sending a large string of characters, the dvwssr.dll can be overflowed. By carefully constructing these characters, it is possible to remotely execute commands as "system" which can be used for elevating priviledges. The buffer overflow was uncovered by CoreSDI.

    5. In theory if you can get the hash of a user with the access, you can exploit the buffer overflow. This is called "passing the hash", and essentially means that you use the hash without cracking the password to authenticate to the target server. See http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0 for details from RAZOR's Paul Ashton on the basis for this technique. This technique is currently one of the stars of Foundstone's "Hacking Exposed: Live" presentations being put on by George Kurtz and Eric Schultze at security shows around the globe. Certainly in theory this could be adapted to this exploit.

    6. Sniffing the NT LanMan password hash being sent by a legitimate FP98 user using L0phtcrack, and subsequently cracking the password would certainly give you the proper access to run the dll, and therefore elevate priviledges. This would of course mean that the sniffer would have to be located between the legit user and the target server, but is not beyond the realm of possibility.

    Detection of the DLL:

    Detection is quite simple. The following examples use NetCat:

    Example 1: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

    HTTP/1.0 500 Server Error (The system could not find the environment option that was entered. )

    The 500 error means dvwssr.dll is not present.

    Example 2: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

    HTTP/1.0 401 Access Denied

    The 401 error means dvwssr.dll is present but you do not have the rights to it.

    Example 3: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

    Connection closed by foreign host.

    The connection closed means that you had the rights to run the DLL, but since no parameters were passed the connection was completed.

    Users of BindView's HackerShield can use the Rapid Fire Update released on the evening of April 14 to detect the presense of the DLL on their systems they manage.

    Elimination of Vulnerability:

    Microsoft's original recommendation of removal of the DLL still stands as this eliminates the vulnerability completely. See http://www.microsoft.com/technet/security/bulletin /ms00-025.asp for details.
  • ... Why is the Netscape Engineers are Weenies vulnerability/backdoor so perfect?

    I didn't even have to read past the Yahoo article to realize what it was. The dynamic link library mentioned plus FrontPage 98 clicked in even my head.

    Since the editors of Slashdot love bashing MS, can't they at least learn of NT's vulnerabilities before posting them? Anyone who knew something about NT would have spotted that was old before reposting it.

    No offense to Slashdot and I'm not a troll. I just can't believe this.

  • Well put.
  • If this sort of thing happened, the results would be two-fold. 1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault. 2) Less Likely: (but wishful) People might realize how security is iterative and valuable.
    Consequence Number 3: Law makers and 'responsible, accountable' software firms denounce the actions of these unruly 'hacker' types and take our computers away. Then "Anti-terrorist" laws are passed: gcc requires a three-day waiting period and a license. Don't give them the excuse.
  • if you read the article, it states that microsoft has stated publically that the code was not there as "an implementation of corporate policy", but rather, produced by some engineers on their own during the netscape vs. microsoft times. i don't like microsoft either, but it's not as if this was some massive conspiracy by microsoft to h4x0r some web sites or steal credit card numbers. they already control enough of the web server market and have $27 billion in the bank. this was something a coder did, not the company.

Each honest calling, each walk of life, has its own elite, its own aristocracy based on excellence of performance. -- James Bryant Conant

Working...