Microsoft Security Flaw Goes Beyond FrontPage

Welcome Guest. | Log In| Register | Membership Benefits

April 17, 2000 (12:00 AM EDT)

Microsoft Security Flaw Goes Beyond FrontPage

By Imran Anwar,

A security flaw first found in FrontPage 98 and server extensions to that package also exists in Windows NT 4.0 Option Pack, according to the CRN Test Center.

Test Center engineers also found similar, suspicious code in Visual Studio6.0, although it was unclear whether that code represented a security threat.

The security flaw, first disclosed Thursday, renders solutions using the NT 4.0 Option Pack or FrontPage extensions non-compliant with the government's C2 security standard.

Unlike other security holes, which are usually generated as oversights, this one was intentionally added by Microsoft developers.

Microsoft acknowledged Thursday that the bug represented a major security threat. The bug allows hackers to gain access to key Web-site management files, potentially giving access to sensitive information such as customer credit card numbers.

As of yet, little is known about the bug except that Microsoft and certain "security consultants" were able to exploit it.

Microsoft said it planned to warn customers about the flaw via e-mail bulletins and an advisory published on its corporate Web site as soon as possible. However, no notices had been posted as of Friday afternoon.

FrontPage 98 began shipping free with Windows NT 4.0 three years ago, which indicates potential security breaches date back that long ago. The bug's backdoor password,"Netscape engineers are weenies!", would likewise indicate code was written at a time when competition between Microsoft and Netscape was at its height.

To exploit the security flaw, a hacker needs authoring privileges. The average web site visitor could not exploit this vulnerability. However, this does present a security concern for ISPs and solution providers hosting multiple web sites on a single server. A client given administrative privileges for their own web site could breach the security of another web site hosted on the same machine.

While the back door does not necessarily expose an entire Web server, it does open access to Web site management files and possibly user information and passwords. With that information in hand, anything else on the server is fair game.

Microsoft is urging customers to delete the computer file "dvwssr.dll" containing the offending code. The "dvwssr.dll" was included in the FrontPage 98 Server Extensions to support web sites created with Visual Interdev v1.0. The DLL also installs itself with anything from the Windows NT 4.0 Option Pack. For most organizations, removing the DLL should present no problems as Visual Interdev has gone through several revisions.

The Test Center also located the disparaging comment about Netscape engineers in a DLL shipped with Visual Studio 6.0. Whether the code represented a security threat was not yet known.

Although Microsoft has stated that few Web hosting providers actually use FrontPage 98, the CRN Test Center found that many of the major Web hosting providers support both FrontPage 2000 and FrontPage 98 for backward compatibility.

Test Center engineers also found a Perl script on the net that potentially exploits the security hole.