Slashdot Mirror
Microsoft IIS4 Backdoor Claim Retracted
maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.
Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.
I'm going to live forever or die trying.
We should try to make Linux and opensource look better instead of try to make its competitors worse. I'm getting sick of all the Microsoft crap on /.
I likes the techie stuff. Gimme!
-- Kirk S
Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.
As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.
My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.
Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.
Cheers,
ZicoKnows@hotmail.com
Read this This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.
Ian
What OS did you start on,when you first touched a PC? For me, it was DOS, of course..
for me it was Apple DOS 3.3. What's your point? Does that make it a good OS? Get a clue!
Although, come to think of it, who the heck uses Win2000 anyway? Win98 is more stable.. but that's like comparing the two crappiest bands in the place; which one's better?
I do. And being "based on NT technology", Windows 2000 is FAR superior to Windows 98 in terms of stability. Again, you have NO IDEA what you are talking about. (Of course, Linux is far more stable than both of them, and I use that, too.)
My journal has hot
How often does it happen that the press actually gets their facts straight? Does it feel weird that in this case the story has changed so quickly? First it's a BACKDOOR MAMAAAA help. Then, it's a bad BUG. Then it's nothing at all:
/. talking about the latest HIT on TECHSTOCKS? Is it because Linux suffered alot?) so Microsoft has the money to make everyone go on with their business and shut their mouths.
-There is nothing to see here, folks, just go on with your business, there is nothing going on here, nothing at all! Can't we all just get alone!
Micro$oft has lots of money (BTW. WTF. Why Isn't
I wonder how much (intangeable costs) will MS pay for this blunder?
You can't handle the truth.
Tell me: if someone had made the same claim (hidden backdoor) about Apache, would you have been as quick to believe it? The fundamental answer (which is the point Eric was making) is "No."
-russ
Don't piss off The Angry Economist
..so it may not be a backdoor. 2 questions remain:
#1, WTF is that string doing in this dll?
#2, Can Netscape sue for libel?
But that is the annoying thing about Microsoft. Whenever there is even a fake report, they've had such a bad history of denying bugs for days, weeks or even months (I'm still bitter about DOS 6.0....) that when stuff like this happens, you have to take it seriously if you are using their products. It gets awfully frustrating.
Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.
Dana
I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.
Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.
Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
1. Linux = Windows whatever.
2. Open Source Community = Microsoft Developers.
3. Slashdot (and other places) = Microsoft marketing machine.
I'm sure that are many others. But this is what I could think of.
So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.
In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.
And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.
Vuln-dev FAQ
We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:
Has anyone verified whether is is valid?
Re: dvwssr.dll (Has anyone verified whether is is valid?)
So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.
Now, there is a worse hole that the CoreSDI guys have found:
DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers
It's an unrelated hole, that was inspired by RFP's post.
RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.
In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)
And let's not forget MS's word on the subject:
http://www.microsof t.com/technet/security/bulletin/fq00-025.asp
BB
No, because his point remains true: that if you cannot audit the source, the executables are less trustworthy. Perhaps the incident that prompted his observation is a non-incident. So what? His point is valid, and worth making, again and again (that's how you sell ideas, by the way, by repeating them).
-russ
Don't piss off The Angry Economist
What's happened to Slashdot?
I'm not talking about the error; the correction was prompt and quick. I'm talking about the Trolls.
We've always had trolls. But now it is just crazy.
What prompts people to behave like this on web forums? Do those of us who don't want trolls, do we need to go elsewhere?
How much fun would it be to Troll a forum no one reads?
Sorry for posting off-topic, Slashdot used to be a much nicer place to visit. I think the threshold has been breached; AC posting must go. Perhaps temporarily.
And I used to be a strong supporter for AC posting too. But the rewards no longer outweigh the problems, not when it is like this.
Whatever will we do?
There are also bugs/races in open source program that were sitting around for several years. I believe a few months ago there was a exploit for redhat/debian systems that slackware that fixed 2 years before. Right now Lynx has a bunch of races in file creation that won't be fixed because the code is so bad and the authors aren't addressing it. So opensource is not the cure that ESR makes it out to be since not many people with the knowledge of whats happening look at the code they're compiling
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
BTW, have any of you guys tried this command on the linux kernel tree before??
/usr/src/linux
# cd
# egrep -i "fuck|shit|damn" `find . -name '*.c'` 2>/dev/null
It's quite amusing.. It's there.. but I can guarentee that you will not find an INTENTIONAL security hole in the linux kernel.
Ryan Wyler
The parent to this post is the one post on this entire article that is ACTUALLY RELEVANT and has a lot of meaty, relevant links .
--Joe--
Program Intellivision!
Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system. This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.
If this is true, this is a vulnerability in the environment with multiple users sharing a hosting service (but not with single user as someone probably thought originally).
Anyone disproven this? Or now only vulnerabilities that don't require a local account on the system count as real?
Contrary to the popular belief, there indeed is no God.
It was very easy to verify. As soon as I heard the story, I tried to verify it, by installing IIS, etc, and was unable to.
Looks like the press got suckered in to reporting an urban legend! I hope Bill Gates puts these so-called newspapers out of business for this slanderous coverage.
--- Speaking only for myself,
What if they decided to use for their string something like the following: "I've seen a report compiled by private detectives that detail a very sordid private life by Sun CEO Scott McNealy. It appears that various times within the last 24 months, he has forced subordinates, both female and male -- one a 16-year old high school exchange program coder -- into engaging in sexual acts with him under the threat of losing their jobs. Our source indicates that all employees -- some current employees and some who have departed -- were paid off with a secret discretionary fund controlled by Sun's board of directors."
Now, any reporter making something like that up would get their testes sued off, but what if a company purposesly put it into a common library, knowing that it'd be found, just biding time until someone looked at it with a hex editor? Yeah, it's pretty far out there on the realm of possibilities, but I have a hard time believing that a new judge would keep the precedent set by the one you mentioned in such a case.
Cheers,
ZicoKnows@hotmail.com
I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.
You all have lost sight of the fact that a computer is only a tool. And if your wise, you will put your biases and prejedices aside and use the best tool for the given application!.
Linux [ and open source ]. Is not always the best solution to a given problem.
The hypocrisy of your animosity is enormous. Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone ( that includes you Linux user ).
If you do not like it, do not use it. Your energies would be better spent taking care of the problems in your house instead of sweeping them under the rug.
And, in case your curious what my tools of choice are: Win2000 ( which works great ) and BeOS ( which works even better! ).
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
Ah, but the encouraging thing is-- if Slashdot readers consist entirely of backslapping open-source bigots, why was your comment moderated to a +4? Why was the top-rated comment about the `Geek Pride' festival one that said, I think, that meeting Eric Raymond would be `about as enticing as a headwound'? Certainly among the Slashdot Illuminati, there's a strong voice of dissent to the party line.
I get the impression that the majority of the comments you read on Slashdot represent the views of a group of kneejerk reactionary teenagers who, like you do when you're a teenager, are trying to find their niche to fit in. The sometimes heady political atmosphere of Linux advocacy is ideal for this sort of self-definition, gives you something to talk about at parties etc. (but does not, repeat not impress girls, take note. Skateboarding is still good for something. )
Anyhow, I think the guys that run this site do a smashing job of keeping us posted. I don't think they have an agenda, but their attitude, like that of most balanced Linux users, is parallel to Linus' when he said jokingly that the purpose of Linux was to `conquer the world'. Slashdot's stories need to be taken with this sort of tongue-in-cheek comment in mind-- yeah, so MS has a dodgy DLL, big deal we will now inherit the earth bwahahaha... you're hardly meant to take it as serious political commentary. But I think the teeny contingent take it seriously and flood the comments boards with Borg-like efficiency because, well, they're just following a crowd like teenagers do.
Hmmm, bit of a ramble. But you get my drift. I don't think Slashdot is going to be descending into back-slapping hell for a long while, and there are some really incisive, decent comments being moderated up. And let's not let ESR do security reports in future, because although he's written some good essays and software, he does have an annoying habit of posting complete tripe here.
Matthew @ Bytemark Hosting
> of all the thousands of eyes looking at the code, someone will find it quicker than someone will find it in closed programs
An interesting experiment would be to put a comment in some obscure piece of Linux kernel or utility code, saying "This is a survey. If you find this comment, send a message to whoever@wherever, and don't mention it to anyone. In a year I'll report on how many pairs of eyes have spotted it. (P.S. - Let me know if you only have one eye.)"
--
Sheesh, evil *and* a jerk. -- Jade
you don't know how much of those ESR (or anyone) sold off
FWIW, Everyone knows how much ESR has sold off: exactly zero shares. He's not allowed to sell any until 6 months after the IPO, which will be in June. At the current rate, VA Linux could be a penny stock by that point, especially after that recent report showing how they were trounced by the competition in the sale of Linux computers. Honestly, by the way that they're dwarfed by the other hardware vendors, companies which are already profitable, what does VA Linux have going for it which would keep this stock from going even lower? They're not looking to turn a profit anytime soon, and today's Wall Street has very little patience for stocks like that.
Cheers,
ZicoKnows@hotmail.com
And if there *had* been such a backdoor in Apache, whoever found it could have posted the code rather than just asserting it, so we'd be *right* not to be quick to believe an unsupported assertion.
Unfortunately, the bottom line still stands. While it might be hard to exploit this hole, the fact that it exists continues to raise serious doubts about the Microsoft QC, and other, perhaps more intentional, inclusions.
> Microsoft already have something like that. SETUP.EXE, I believe it's called.
I should have known that. I killed a Windows95 system one time by using the Windows uninstall utility to remove a frickin' $5 game.
--
Sheesh, evil *and* a jerk. -- Jade
(wave hand) These are not the backdoors you are looking for.
Most users like Explorer because it does a good job of surfing the web for the user.
As a web developer I HATE IT. Explorer does NOT correctly support HTML standards, and contains a lot of code that imposes it's own view of how flawed code should be shown, often making up tags as it goes along. I cannot use IE as a development tool because it just flat out does not display HTML correctly! It also is extrodinarily crappy for Javascript debugging.
IE has had the affect of encouraging sloppy HTML coding habits - something that is going to bite the web in the ass when smaller web devices without the horsepower to run large browsers like IE become common.
I will state that most Open Source programmers had nothing to do with the feeding frenzy on Slashdot. A few "luminaries" did, but in general they acted upon what information was reported by Microsoft and NTBugTraq. Given that Microsoft itself was calling it a "back door", I can hardly fault ESR for putting out a long essay about the problem.
Finally: To accuse Open Source people of "corporatism" is silly. People who release code under the GPL do so that others *can't* take ownership and hide it from view, which is what corporatism is all about. Yes we get excited when we see our beliefs vindicated, but this has nothing to do with money. It is interesting that many former Microsoft employees, albeit working in other places hundreds of miles away from Redmond, will still defend their former employer, for the exact same reason: pride of ownership. It is "their" product, and they want to tell the world that it's good stuff and that those who criticize it are weenies. No Borg mind-washing required.
About the only lesson we can learn here is that there would have been no story if it were OSS. The Wall Street Journal would have contacted a local security guru, who would have looked at the source code of the module in question, and said "There's no back door there." No story. The only reason there was a story was because only one company had the source code to this module -- Microsoft -- and the Wall Street Journal had to rely on Microsoft's word. And Microsoft was saying it was a back door.
-E
Send mail here if you want to reach me.
I use Windows 2000 on my PC and two laptops and it works quite well. How about getting your head out of your ass for a minute?
So, in case you haven't red the bug report, the specific password in question is "Netscape engineers are weenies!"
:-)
.asp(s) from it.
Oh, I love Microsoft's well-developed sense of responsibility and mature approach to the market
So I guess people are backing off because you have to have publishing rights, but the ugly part is that you only have to have publishing rights to one of the virutual hosts on a server to get all of the
I'll have to peruse the Ars Technica comments to see why they don't consider this a back-door.
Look, a lot of people were announcing an NT security hole. Slashdot reported it too. Now, I agree that Slashdot should have a team of investigative reporters who have the tecnical credits to figure out if this is true or not, but that's because I have a very different vision of what Slashdot should be than, say, CmdrTaco. I don't begrude him his site as it is, but feel it would be much more useful as a validating filter on the poor high-tech reporting that goes on in other outlets.
The story is still up in the air as far as I'm concerned. One guy (who, BTW was not the original discoverer of the exploit) is reporting that Microsoft doesn't think there's an exploit.
I want to see some people grab the exploit script (it's on the real bugtraq) and run it against some test servers with valid permissions. Does it work? How invalid do the permissions have to be? Does the Microsoft documentation lead you down the road of "invalid permissions" for settting up virtual hosts?
Many questions need to be answered before this case is closed....
If I didn't already agree with Eric, I wouldn't bother being the VP of OSI. Isn't that obvious *enough*?
-russ
Don't piss off The Angry Economist
The Ken Thompson cc story is just a story. And guess what? Real software needs to be rewritten from scratch every five years, because the assumptions you make about trade-offs become invalidated. Both sendmail and bind are *long* overdue for a rewrite.
-russ
Don't piss off The Angry Economist
Apple DOS 3.3. Unless you want to count the AppleBASIC in the ][e's ROM as an OS =)
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Facts:
- IIS w/ option pack HAS a "backdoor" with "netscapeengeniersareweenies" (or something like that).
- It allows every user with access to read all other user's
.asp files. This seems not to be a bug! - I HAVE SEEN IT WORK.
- So as it is would affect mostly web-hosting companies
- BUT, Core-SDI's Gera and Beto have found a buffer overflow vulnerability.
- It lets ANYBODY on the internet to crash a IIS with mentioned option pack (called a DOS).
- It is demonstrated using a perl script posted on BUGTRAQ.
- It seems HIGLY POSSIBLE to use THIS buffer overflow for arbitrary remote code execution.
- I HAVE SEEN IT WORK.
- So as it is affect ALL IIS w/ option pack4 on the net!!!
Notes:I can't even access the dll because I don't allow anonymous interaction with my IIS box. Hack the sploit so you can use a username and pass so I can test this thing already.
How we know is more important than what we know.
Because we don't have the source to IIS, we couldn't check for ourselves, so when people who we trust more then MS (for good reason - they are somewhat unbiased) made an allergation we believed them.
That's the reason Open Source is better - the security expects (or us) could have checked the source, seen no real hole, retested the scenerio, and seen what was really going on.
Precisely. That's why I use *nix -- winbloze has neither grep nor cron.
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
Moderate it down, moderate correctly. I have to agreee with the other posts about moderation.. What the hell is going on here. enlighten me on what "If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. " means. So it means now if you bust your ass working on linux stuff and some coroporation is still making millions life is good because your not an 8 year old? Gimme a break people. Microsoft is Microsoft, you people BOUGHT there software or COMPUTERS with it on there. You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes. The consumer was the one putting there faith in Microsoft. Should we sue mcdonalds because it makes people fat and really taists like shit but the commercials make me buy it or because its the only joint on my bock its now unfair competition and they have to be sued until someone else with another shitty ass hamburger can come back in? My god. CHOICE PEOPLE! you chose a FUCKEN LAWYER to win your battle. Now think about that. You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice! I still run Windows, I still run OS/2, i still use Linux. MY Choice. I didn't support nor write my legislature/senators to sue microsoft, that is BS. I didn't buy a distro because THAT is BS. Buying something that *IS* free for the sake of Support? If the INFORMATION is free, why would you NEED support? If it was intuitive enough, what would be so hard that you need support????? Why should redhat get my money moreso then microsoft? Atleast with microsoft i see Innovative features such as the highly popular portals/email/mapping systems, kick as gaming, ease of use, quick adaptation, forward looking and forward thinking design and gui concepts? I mean for the first time in computer la la land there is consistancy and a huge market.
And we want to distroy that because people are naive and want to accept freedoms and not be forced to choose? Microsoft didnt FORCE windows. Microsoft didn't FORCE anyting. They played the game and the lil boys lost.. wooopideee dooo. They aquired when nescape could have aquired. Why didn't netscape team up with IBM to compete with microsoft? I won't even go any further, as its pointless reall..
For an OS that was supposed to END the two different Windows OS's, Win2000 is extremely bad at compatibility, etc.
n ter/Scanner
Who said Windows 2000 was supposed to do that? I mean, at one time that was Microsoft's story, but no longer. That's why it's called Windows 2000 Professional and Windows 2000 Server. Their will always be WindowsMe and Windows 2000 Consumer...
I use the command-line in Windows for almost everything but dinking with specific file operations
Same here.
And yes, I do know what I'm talking about, I've used Win2000, hardware support? We obviously don't NEED hardware support in this OS, after all we're cool! (Now, on the other hand, Linux is good.. that's actually my main OS..)
Win2k detected every piece of hardware I had, both on my PII 450 desktop (mostly new hardware) and on my old laptop (P133). Of course, I don't have every wiz-bang programmable Speaker/Joystick/Modem/TurboKeyboard/Ethernet/Pri
combo device on the planet, but still...
And Win2k has better hardware support than Linux (sad, but true). Linux rule of hardware: if it just came out yesterday, or if it came out 10 years ago and almost nobody uses it, then there is no support for it.
My journal has hot