Minor Web security threat surfaces
- By IDG News Service, Nancy Weil
- Apr 17, 2000
Microsoft Corp. has acknowledged a minor threat posed by a "backdoor" password
in server software that could be exploited to gain access to World Wide
Engineers had written a backdoor into some of the company's Internet software
containing a password phrase that calls rival Netscape Communication Corp.
The threat, uncovered by two security experts, is not as serious as it seemed
when it first was identified last week. Initially, it had seemed that the
backdoor could be used by hackers to access Web site management files, but
it turns out that there are many caveats.
It was thought that any Web site using Microsoft FrontPage 98 extensions
was vulnerable, but instead, the backdoor is a problem for Web sites that
installed anything from the 4.0 option kit for the Microsoft NT 4.0 server
software. The backdoor isn't an issue for sites that use Windows 98 or Windows
2000, nor is it an issue for sites that installed software straight from
the Windows NT 4.0 CD-ROM.
Moreover, it affects only those sites that use Microsoft's Visual InterDev
1.0. That application, which is now in Release 7.0, is used to link information
from Web sites that use Microsoft's Active Server Pages.
Also, the backdoor can be exploited only by users who have Web-authoring
permission at a particular Web site. Such users could manipulate an ASP
(those containing the ".asp" extension), but because they need a valid user
name and password for Web-authoring access, their actions could be tracked.
Customers can eliminate the threat by deleting the computer file "dvwssr.dll"
from the affected software. That's the file that contains the backdoor "weenie"
— Story copyright 2000 IDG News Service. All rights reserved.