Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft IIS4 Backdoor Claim Retracted

Posted by ryuzaki0 on from the interesting-bit dept.

maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.

6 of 176 comments (clear)

  1. Vaporbug by HerrNewton · · Score: 5

    Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)

    ----

    --

    ----
    Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
  2. Spoon! by yarmond · · Score: 5
    Time for a new advertising campaign by Microsoft?

    Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.

    --

    I'm going to live forever or die trying.

  3. Thanks for the article, Hemos by Zico · · Score: 5

    Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.

    As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.

    My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.

    There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.

    Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.

    Cheers,
    ZicoKnows@hotmail.com

  4. The actual vulernablity. by z4ce · · Score: 5

    Read this This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.

    Ian

  5. The Slashdot/Open Source Agenda by DeepDarkSky · · Score: 5
    Look, this Anti-Microsoft bashing is discrediting Slashdot and Open Source community. Simple as that.

    I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.

    Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.

    Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.

    What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.

    What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
    1. Linux = Windows whatever.
    2. Open Source Community = Microsoft Developers.
    3. Slashdot (and other places) = Microsoft marketing machine.

    I'm sure that are many others. But this is what I could think of.

    So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.

    In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.

    And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.

  6. Vuln-dev Plug by Anonymous Coward · · Score: 5
    Info about the list here:

    Vuln-dev FAQ

    We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:

    Has anyone verified whether is is valid?

    Re: dvwssr.dll (Has anyone verified whether is is valid?)

    So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.

    Now, there is a worse hole that the CoreSDI guys have found:

    DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers

    It's an unrelated hole, that was inspired by RFP's post.

    RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.

    In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)

    And let's not forget MS's word on the subject:

    http://www.microsof t.com/technet/security/bulletin/fq00-025.asp

    BB