Slashdot Mirror
Microsoft Admits To Backdoor In IIS [updated]
Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.
All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:
Security.
Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.
Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.
Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).
On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else
In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.
One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?
Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.
Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.
Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.
Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.
Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Analysis By People We Trust II: Bruce Schneier
from: sci.crypt
subject: NSA and MS windows
A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.
Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.
Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.
I don't buy it.
First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.
Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
compromise security.
Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.
I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
Want Root?
Actually, the story's URL contains the string "articles/20010514/microsoft_ackno" which suggests that the article is from today, 2001-05-14.
I couldn't find a link to it on the main story index though.
--
Gosh, where could they have come up with a name like dvwssr.dll?
MEMORANDUM
TO: BILL GATES
FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
OPERATING SYSTEM REMOTE CONTROL TEAM
Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.
DIR. SECRET SERVICE
p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.
we bring you this previously secret Microsoft response to the Secret Service's request:
MEMORANDUM
TO: BRIAN STAFFORD
FR: STEVE
Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.
Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.
Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.
Give me a call sometime!
The Big Ball
God I'd like to put a bullet in the head of that particular piece of FUD once and for all...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
And now it's been slashdotted too .
I'm guessing that we mean before it's inserted into the cdrom drive.
This is really old news, as well as misleading. A curse on Yahoo Small Business for not including a time/date stamp on their story. See this Google search for more info.
--
-- @rjamestaylor on Ello
I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.
This is the same old "Netscape Engineers suck!" backwards-text thing that was hashed (and rehashed) quite some time ago. It turns out that the string is just junk text in the file. It isn't a password, backdoor, or anything else.
.dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.
.dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)
Take a look at what Bugtraq's owner had to say at the time (Bugtraq originally reported this issue.)
It seems that someone testing the box entered the string and got into the Frontpage web w/ no password.... as it is pointed out below, that is because the security on the box wasn't set properly.... they could have typed in "MicrosoftSucks!" and gotten in.
======= BEGIN MESSAGE =========
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the
From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.
This info may change again before its finalized. It may well be that there is some way to use this
Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.
===== END MESSAGE ======
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Natural != (nontoxic || beneficial)
I wouldn't be suprised if when Bill Gates clicks on his network neighborhood icon, every windows machine on the internet comes up with full access... :-)
I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.
I want my rights back. I was actually using them when our government stole them after 9/11.
With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?
# FIXME: can't test on dev server, assume works for now
return 1; # cc validation goes here...
The site was less than a week from going live when we found that.
--
The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc. This is not isolated to Microsoft. That's why OSS is so nice - anyone can look for and find backdoors to fix them.
When you are talking about tens of millions of lines of code, its impossible to find stuff like this unless you spend a LOT of time looking for it. IN my previous life I worked for a company whose flagship software was about 25 million lines of code. I'll never forget when they decided to give the source to select customers who signed NDA's. They spent MONTHS looking for backdoors and inappropriate comments like:
It was amazing how much stuff they found (mostly in the comment catagory) and how long it took to find it all in a code base that large.
--
Top Most Bizarre/Disturbing Error Messages