Slashdot Mirror
Microsoft IIS4 Backdoor Claim Retracted
maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.
Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.
I'm going to live forever or die trying.
We should try to make Linux and opensource look better instead of try to make its competitors worse. I'm getting sick of all the Microsoft crap on /.
I likes the techie stuff. Gimme!
-- Kirk S
Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.
As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.
My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.
Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.
Cheers,
ZicoKnows@hotmail.com
Read this This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.
Ian
How often does it happen that the press actually gets their facts straight? Does it feel weird that in this case the story has changed so quickly? First it's a BACKDOOR MAMAAAA help. Then, it's a bad BUG. Then it's nothing at all:
/. talking about the latest HIT on TECHSTOCKS? Is it because Linux suffered alot?) so Microsoft has the money to make everyone go on with their business and shut their mouths.
-There is nothing to see here, folks, just go on with your business, there is nothing going on here, nothing at all! Can't we all just get alone!
Micro$oft has lots of money (BTW. WTF. Why Isn't
I wonder how much (intangeable costs) will MS pay for this blunder?
You can't handle the truth.
Tell me: if someone had made the same claim (hidden backdoor) about Apache, would you have been as quick to believe it? The fundamental answer (which is the point Eric was making) is "No."
-russ
Don't piss off The Angry Economist
But that is the annoying thing about Microsoft. Whenever there is even a fake report, they've had such a bad history of denying bugs for days, weeks or even months (I'm still bitter about DOS 6.0....) that when stuff like this happens, you have to take it seriously if you are using their products. It gets awfully frustrating.
Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.
Dana
I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.
Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.
Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
1. Linux = Windows whatever.
2. Open Source Community = Microsoft Developers.
3. Slashdot (and other places) = Microsoft marketing machine.
I'm sure that are many others. But this is what I could think of.
So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.
In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.
And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.
Vuln-dev FAQ
We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:
Has anyone verified whether is is valid?
Re: dvwssr.dll (Has anyone verified whether is is valid?)
So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.
Now, there is a worse hole that the CoreSDI guys have found:
DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers
It's an unrelated hole, that was inspired by RFP's post.
RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.
In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)
And let's not forget MS's word on the subject:
http://www.microsof t.com/technet/security/bulletin/fq00-025.asp
BB
WTF is that string doing in this dll?
It's just a string used for encryption. It could've been anything, but the programmers decided to make it a jab at Netscape.
#2, Can Netscape sue for libel?
Only if they can prove that their engineers are not indeed weenies. In other words, not bloody likely!! ;-)
Cheers,
ZicoKnows@hotmail.com
No, because his point remains true: that if you cannot audit the source, the executables are less trustworthy. Perhaps the incident that prompted his observation is a non-incident. So what? His point is valid, and worth making, again and again (that's how you sell ideas, by the way, by repeating them).
-russ
Don't piss off The Angry Economist
Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system. This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.
If this is true, this is a vulnerability in the environment with multiple users sharing a hosting service (but not with single user as someone probably thought originally).
Anyone disproven this? Or now only vulnerabilities that don't require a local account on the system count as real?
Contrary to the popular belief, there indeed is no God.
I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.
You all have lost sight of the fact that a computer is only a tool. And if your wise, you will put your biases and prejedices aside and use the best tool for the given application!.
Linux [ and open source ]. Is not always the best solution to a given problem.
The hypocrisy of your animosity is enormous. Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone ( that includes you Linux user ).
If you do not like it, do not use it. Your energies would be better spent taking care of the problems in your house instead of sweeping them under the rug.
And, in case your curious what my tools of choice are: Win2000 ( which works great ) and BeOS ( which works even better! ).
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
Ah, but the encouraging thing is-- if Slashdot readers consist entirely of backslapping open-source bigots, why was your comment moderated to a +4? Why was the top-rated comment about the `Geek Pride' festival one that said, I think, that meeting Eric Raymond would be `about as enticing as a headwound'? Certainly among the Slashdot Illuminati, there's a strong voice of dissent to the party line.
I get the impression that the majority of the comments you read on Slashdot represent the views of a group of kneejerk reactionary teenagers who, like you do when you're a teenager, are trying to find their niche to fit in. The sometimes heady political atmosphere of Linux advocacy is ideal for this sort of self-definition, gives you something to talk about at parties etc. (but does not, repeat not impress girls, take note. Skateboarding is still good for something. )
Anyhow, I think the guys that run this site do a smashing job of keeping us posted. I don't think they have an agenda, but their attitude, like that of most balanced Linux users, is parallel to Linus' when he said jokingly that the purpose of Linux was to `conquer the world'. Slashdot's stories need to be taken with this sort of tongue-in-cheek comment in mind-- yeah, so MS has a dodgy DLL, big deal we will now inherit the earth bwahahaha... you're hardly meant to take it as serious political commentary. But I think the teeny contingent take it seriously and flood the comments boards with Borg-like efficiency because, well, they're just following a crowd like teenagers do.
Hmmm, bit of a ramble. But you get my drift. I don't think Slashdot is going to be descending into back-slapping hell for a long while, and there are some really incisive, decent comments being moderated up. And let's not let ESR do security reports in future, because although he's written some good essays and software, he does have an annoying habit of posting complete tripe here.
Matthew @ Bytemark Hosting
And if there *had* been such a backdoor in Apache, whoever found it could have posted the code rather than just asserting it, so we'd be *right* not to be quick to believe an unsupported assertion.