From: Arthur S. Hitomi (ahitomi@ics.uci.edu)
Date: Tue Apr 18 2000 - 15:46:30 PDT
Microsoft: More security holes
By Robert Lemos, ZDNet News
April 17, 2000 4:53 PM PT
For a company that prides itself on the quality of its
software development prowess, Microsoft Corp. has
encountered a rough patch of late, racking up two security
holes as well as committing a major faux pas in the space of
less than a week.
One of the security holes could allow an attacker access to
pages on a Web hosting service. The other hole could enable
malicious code to be run. All the while, a message in the code
crowed that "Netscape engineers are weenies!"
If ever there was an incident demonstrating a need for
companies to pay more attention to the code they ship, this was
it, according to Elias Levy, chief technology officer for security
information site SecurityFocus.com. "This is definitely
something that should concern people," he said.
On Friday, Microsoft (Nasdaq: MSFT) revised a bulletin
outlining the security flaws. After publishing the bulletin,
Microsoft said it subsequently learned of a new, separate
vulnerability that increased the threat to users.
Strike One: "Netscape … weenies!"
By far, the most interesting aspect of the flawed dynamic link
library, or DLL, is that it also contained a phrase deriding
Netscape engineers. Specifically, the not-so-hidden phrase said
"!seineew era sreenigne epacsteN," or the backward spelling of
"Netscape engineers are weenies!"
Initially, the Wall Street Journal reported that the phrase opened
up a "backdoor" -- a deliberate hole in security put in to allow
illicit access -- in servers running Microsoft software.
While Microsoft admits that two security flaws do indeed mar a
software module in its Web server product, the software giant
retracted earlier statements confirming the existence of a
cyber-backdoor.
Russ Cooper, editor of Windows NT security watcher
NTBugTraq, stressed that the phrase is not a password, but a
cypher key used to scramble the address of Web pages
requested by users.
"'Netscape engineers are weenies!' was a dumb thing to put in
there," said Cooper. "But if we took a dictionary cracker and
went over Sun's code, we would find the same sorts of things."
Microsoft employees' own admissions didn't help the
controversy.
Steve Lipner, manager of Microsoft's security response center,
confirmed initial reports of the backdoor, according to the Wall
Street Journal. "Some of the initial coverage was based on our
preliminary analysis," Lipner said of speculation that sensitive
data could be exposed. "The initial scare is pretty overblown."
Strike Two: Link-View flaw
On top of the developer humor in the "weenie" put-down,
Microsoft initially admitted that a bug -- not a backdoor --
existed.
The bug is in a DLL file known as dvwssr.dll that allows access
to a Web site's active server pages and applications. The file is
provided by Microsoft to support Visual Interdev 1.0, an older --
and rarely used -- application that helps Webmasters track
broken links.
However, the file is part of the default installation of Web
servers using NT 4.0 and Microsoft's Internet Information
Server software, making it fairly common.
For the most part, the bug only affects Web-site hosting
services, and only after an attacker gets Web authoring access
on the servers.
NTBugTraq's Cooper, who said such services could be affected
by the bug, recommended users delete the DLL to plug the hole.
He said the hole could allow information to be manipulated by
others who already have Web authoring permission on that
particular server.
Strike Three: Buffer overflow
Late Friday, a Buenos Aires, Argentina-based security firm
trying to confirm the original bug found another -- potentially
more serious -- flaw.
"I started looking at that .DLL because there was much
controversy about the 'weenie' issue -- I wanted to clarify it
definitely," wrote Gerardo Richarte, research and development
engineer for CoreLabs, in an e-mail interview with ZDNet News.
The flaw is a so-called "buffer overrun" error, which causes the
target machine to essentially become confused whenever it's fed
too much data. Microsoft confirmed that the hole can be
exploited to give attackers access to a server that uses the DLL.
That could be bad for Web-hosting services, said Richarte. "The
flaw poses a serious risk to organizations providing hosting
services, as any of its customers could get complete control of
the server machine," he said.
Easy solution
Despite the dire warning, the problem is easy to solve: Delete the
file dvwssr.dll, said Microsoft's Lipner, who added that a patch
will not be released.
"Deleting the DLL is a workaround," he said.
Will Lipner have to face such an error in the future?
"I don't think so. It's a 5-year-old piece of code," he said. "It
was written about the time that the usage of the Internet was
becoming widespread or common. You could view this as sort
of an antique."
This archive was generated by hypermail 2b29 : Tue Apr 18 2000 - 15:54:11 PDT