April 14, 2000 1:05 PM PDT
Microsoft secret file could allow access to Web sites
- Related Stories
Companies seek security experts to defend Web sitesMarch 1, 2000
Microsoft Web tool exposes usersJanuary 20, 1999
To exploit the weakness, a hacker would also need authoring privileges on a particular Web server. By accessing a single file, called "dvwssr.dll," the hacker could write a script allowing access to many more files on the site.
"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."
To read a file on another Web site on the shared server, the hacker would have to know the name and location of the file on the other site, Lipner explained. "You also must be authorized to do this," he said.
But figuring out file locations may not be that difficult. Many file names can be ascertained simply by accessing Web pages in a browser, and FrontPage's default placement of files would be known to anyone using the product. The same would apply to how Web hosting companies configure the path to files.
Microsoft apparently has been shipping software with the vulnerability for several years, possibly since 1996. Because Microsoft provides FrontPage 98 free with Windows NT 4.0 Server, the software is widely used for hosting Web sites on the Internet and across corporate intranets.
While the back door doesn't necessarily expose an entire Web server or corporate network to hackers, it does open access to Web site management files and possibly credit card information and user passwords.
Although Microsoft is treating the problem "as a serious security risk," a spokeswoman downplayed its overall effect. "Very few people are still using FrontPage 98," she said. "Most people are using FrontPage 2000."
But a quick survey of Web hosting services this morning found a number of major companies--such as Concentric Networks and UUNet--offering FrontPage 98 and FrontPage 2000 extensions.
Mark Bowden, president of BugNet, which supplies software bug fixes, said his organization will try to reproduce the security breach and that he considers it a serious threat that could affect many Web sites using FrontPage 98 extensions.
He also disagreed with Microsoft's contention that FrontPage 98 extensions are no longer widely used. "I've seen so many problems converting over to FrontPage 2000. It's not seamless," he said.
The password back door is potentially most devastating for companies that host commercial and consumer Web sites. Hosting providers typically apply FrontPage extensions individually to hundreds of thousands of Web sites, meaning the problem could be difficult to clean up.
Microsoft plans to post a security bulletin on its Web site as early as today and to issue an email about the vulnerability. The company will urge customers to delete the "dvwssr.dll" file, which should remove the back door.
Microsoft engineers apparently created the vulnerability during the height of competition between the software maker and Netscape Communications, now owned by America Online. At the time, the companies fiercely competed in both the Web browser and Internet server markets.
Software code enabling the back door includes the phrase "Netscape engineers are weenies!" The Microsoft spokeswoman made it clear the engineers' action is a firing offense. "It's absolutely against Microsoft policy, and Microsoft is looking into it seriously," she said.
The security hole's existence opens Microsoft to attacks on two fronts: from customers whose Web sites are exposed by the security hole and from state and federal trustbusters, who are completing the final stages of the Microsoft antitrust trial.
The reference to Microsoft's hard-fought battle with Netscape is unfortunate timing for the software giant. The Justice Department and 19 states are preparing remedy proposals in the Microsoft trial and could take notice of the event. U.S. District Judge Thomas Penfield Jackson earlier this month ruled that Microsoft violated federal and state antitrust law, in part because of anticompetitive behavior against Netscape.
"Microsoft has a really ugly situation on (its) hands," said Gartner Group analyst Michael Gartenberg. "This is a major, major issue for Microsoft because it's going to hurt their credibility at a time when they're straining from a credibility perspective."
The Netscape reference--coupled with the seriousness of the security problem--makes it hard for Microsoft to "clean up its tarnished reputation" when it is trying to get away from its "arrogant, self-righteous image," Gartenberg said.
"While it may not affect the remedies or affect the outcome in the court of law, it's definitely going to hurt Microsoft in the court of public opinion," he added. "Public opinion for Microsoft right now is just about as serious as the court of law."
A security consultant known as "Rain Forest Puppy" notified Microsoft about the problem in an email message yesterday morning at 9:53 a.m. after being contacted by an employee with Nashville, Tenn.-based ClientLogic.
Microsoft isolated the problem quickly. Within a few hours, "after a pretty thorough evaluation, it was clear that it was a security issue with FrontPage 98 and FrontPage 98 extensions, and we figured out at the same time there was a very simple fix: removing the single file," the Microsoft spokeswoman said.
Rain Forest Puppy said Microsoft engineers might not be responsible for the errant software code, which could have been written by someone working for Vemeer Technologies, the original developer of FrontPage. Microsoft bought Vemeer in 1995, which was when the suspect file was apparently coded.
ClientLogic, which is owned by Toronto-based Onex, provides outsourced marketing and fulfillment services to technology and e-commerce companies. The company would not discuss its discovery of the security breach but plans to issue a statement later today.