Microsoft secret password could allow access to Web sites
By Joe Wilcox
Staff Writer, CNET News.com
April 14, 2000, 10:20 a.m. PT
Microsoft said its engineers included a secret password using the phrase "Netscape engineers are weenies!" in Web site authoring software that could allow hackers to gain unauthorized access to potentially thousands of Web sites.
The password back door was included in software by one or more Microsoft engineers, the company confirmed. Hackers knowing how to exploit the vulnerability could access any site using FrontPage 98 extensions, Microsoft said. FrontPage, a Web authoring and site management software package, requires that special software code--or extensions--be present on the Web site for all features to be available.
To exploit the weakness, a hacker would also need authoring privileges on a particular Web server. By accessing a single file, called "dvwssr.dll," the hacker could write a script allowing access to many more files on the site.
Microsoft has been shipping software with the vulnerability for three years. Because Microsoft provides FrontPage 98 free with Windows NT 4.0 Server, the software is widely used for hosting Web sites on the Internet and across corporate intranets.
While the back door doesn't necessarily expose an entire Web server or corporate network to hackers, it does open access to Web site management files and possibly credit card information and user passwords.
Although Microsoft is treating the problem "as a serious security risk," a spokeswoman downplayed its overall effect. "Very few people are still using FrontPage 98," she said. "Most people are using FrontPage 2000."
But a quick survey of Web hosting services this morning found a number of major companies--such as Concentric Networks and UUNet--offering FrontPage 98 and FrontPage 2000 extensions.
Mark Bowden, president of BugNet, which supplies software bug fixes, said his organization will try to reproduce the security breach and that he considers it a serious threat that could affect many Web sites using FrontPage 98 extensions.
He also disagreed with Microsoft's contention that FrontPage 98 extensions are no longer widely used. "I've seen so many problems converting over to FrontPage 2000. It's not seamless," he said.
The password back door is potentially most devastating for companies that host commercial and consumer Web sites. Hosting providers typically apply FrontPage extensions individually to hundreds of thousands of Web sites, meaning the problem could be difficult to clean up.
Microsoft plans to post a security bulletin on its Web site as early as today and to issue an email about the vulnerability. The company will urge customers to delete the "dvwssr.dll" file, which should remove the back door.
Microsoft engineers apparently created the vulnerability during the height of competition between the software maker and Netscape Communications, now owned by America Online. At the time, the companies fiercely competed in both the Web browser and Internet server markets.
Software code enabling the back door includes the phrase "Netscape engineers are weenies!" The Microsoft spokeswoman made it clear the engineers' action is a firing offense. "It's absolutely against Microsoft policy, and Microsoft is looking into it seriously," she said.
The security hole's existence opens Microsoft to attacks on two fronts: from customers whose Web sites are exposed by the security hole and from state and federal trustbusters, who are completing the final stages of the Microsoft antitrust trial.
The reference to Microsoft's hard-fought battle with Netscape is unfortunate timing for the software giant. The Justice Department and 19 states are preparing remedy proposals in the Microsoft trial and could take notice of the event. U.S. District Judge Thomas Penfield Jackson earlier this month ruled that Microsoft violated federal and state antitrust law, in part because of anticompetitive behavior against Netscape.
A security consultant known as "Rain Forest Puppy" notified Microsoft about the problem in an email message yesterday morning at 9:53 a.m. after being contacted by an employee with Nashville, Tenn.-based ClientLogic.
Microsoft isolated the problem quickly. Within a few hours, "after a pretty thorough evaluation, it was clear that it was a security issue with FrontPage 98 and FrontPage 98 extensions, and we figured out at the same time there was a very simple fix: removing the single file," the Microsoft spokeswoman said.
In an email exchange this morning, Rain Forest Puppy declined to comment on the password back door. "Advisory information has been submitted to the full-disclosure mailing lists," the security consultant wrote. "The moderators should release the messages later on today."
ClientLogic, which is owned by Toronto-based Onex, provides outsourced marketing and fulfillment services to technology and e-commerce companies. The company would not discuss its discovery of the security breach but plans to issue a statement later today.
