Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft IIS4 Backdoor Claim Retracted

Posted by ryuzaki0 on from the interesting-bit dept.

maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.

12 of 176 comments (clear)

  1. Vaporbug by HerrNewton · · Score: 5

    Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)

    ----

    --

    ----
    Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
  2. Spoon! by yarmond · · Score: 5
    Time for a new advertising campaign by Microsoft?

    Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.

    --

    I'm going to live forever or die trying.

  3. Wasted time by roswell · · Score: 4

    We should try to make Linux and opensource look better instead of try to make its competitors worse. I'm getting sick of all the Microsoft crap on /.

    I likes the techie stuff. Gimme!

    --
    -- Kirk S
  4. Thanks for the article, Hemos by Zico · · Score: 5

    Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.

    As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.

    My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.

    There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.

    Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.

    Cheers,
    ZicoKnows@hotmail.com

  5. The actual vulernablity. by z4ce · · Score: 5

    Read this This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.

    Ian

  6. But you all thought it was true. by Russ+Nelson · · Score: 4

    Tell me: if someone had made the same claim (hidden backdoor) about Apache, would you have been as quick to believe it? The fundamental answer (which is the point Eric was making) is "No."
    -russ

    --
    Don't piss off The Angry Economist
  7. Grrrr.... by DanaL · · Score: 4

    But that is the annoying thing about Microsoft. Whenever there is even a fake report, they've had such a bad history of denying bugs for days, weeks or even months (I'm still bitter about DOS 6.0....) that when stuff like this happens, you have to take it seriously if you are using their products. It gets awfully frustrating.

    Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.

    Dana

  8. The Slashdot/Open Source Agenda by DeepDarkSky · · Score: 5
    Look, this Anti-Microsoft bashing is discrediting Slashdot and Open Source community. Simple as that.

    I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.

    Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.

    Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.

    What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.

    What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
    1. Linux = Windows whatever.
    2. Open Source Community = Microsoft Developers.
    3. Slashdot (and other places) = Microsoft marketing machine.

    I'm sure that are many others. But this is what I could think of.

    So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.

    In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.

    And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.

    1. Re:The Slashdot/Open Source Agenda by reptilian · · Score: 4
      Please allow me to rant.

      It seems whenever anyone starts calling their little group a community everything starts falling apart. Everyone now feels justified in making demans upon everyone else; everyone starts to think in the "mass mind" and it's only a matter of time until the tyrrany of the majority destroys everything. There is no community. There's a slashdot community, I'll give you that, but if slashdot is the primary representative of Free Software, all hope in civilization is lost. Free Software, Open Source, whatever you want to call it, I don't see a community. I see everyone as an individual, all with equal rights, specifically the right to use their software however they god damn want to. So we all share something. Isn't that nice? It doesn't make it a community. It MUSTN'T be a community, or it will destroy itself over the petty demands of "the community."

      Now, rant over I think. You can't blame slashdot for this backdoor mishap. They got the story from WSJ and C|Net and whatever other websites published it. We've all complained before that slashdot editors should do some fact checking before posting stories that don't sound credible, but really, if you believe everything you read... things like this really aren't worth complaining about. Relax and shrug it off. No one is infallible.


      Man's unique agony as a species consists in his perpetual conflict between the desire to stand out and the need to blend in.

      --

      72656B636148206C72655020726568746F6E41207473754A

  9. Vuln-dev Plug by Anonymous Coward · · Score: 5
    Info about the list here:

    Vuln-dev FAQ

    We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:

    Has anyone verified whether is is valid?

    Re: dvwssr.dll (Has anyone verified whether is is valid?)

    So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.

    Now, there is a worse hole that the CoreSDI guys have found:

    DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers

    It's an unrelated hole, that was inspired by RFP's post.

    RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.

    In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)

    And let's not forget MS's word on the subject:

    http://www.microsof t.com/technet/security/bulletin/fq00-025.asp

    BB

  10. Re:Alright.. by Zico · · Score: 4

    WTF is that string doing in this dll?

    It's just a string used for encryption. It could've been anything, but the programmers decided to make it a jab at Netscape.

    #2, Can Netscape sue for libel?

    Only if they can prove that their engineers are not indeed weenies. In other words, not bloody likely!! ;-)

    Cheers,
    ZicoKnows@hotmail.com

  11. Re:MS Bashers: The Religion Exposed by Wah · · Score: 4

    I would have thought that most of the Microsoft apologists would have lost their fervor after said company was found guilty of fucking everyone over in a Federal court of law. I guess some people just get used to it. I got sick of it, so there ya go. Here's to another 20 years of expensive easter eggs!!

    Microsoft has millions of dollars and a lot of easily convinced people to push their agenda. Linux has people who love it. There is a fundamental difference, some people embrace it, some people ignore it, some just go about their merry lives, hoping things will get better but never doing anything about it.

    There was a recent store closing in my town. A bookstore that could no longer compete and was forced to close its doors. Since then, a small awareness has arisen in people that the votes they make with their dollars and their actions help shape the world around them. If the only thing they look at is their own convenience, and their own bottomline, well, then that's how the community crumbles.

    If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old.

    Just the tip of the iceberg of a counter rant, and MHO.


    --

    --
    +&x