BOSTON (04/14/2000) - Microsoft Corp. later today is expected to post a security alert regarding what now seems to be a minor threat posed by a "backdoor" password in server software that could be exploited to gain access to Web pages.
A Microsoft official acknowledged yesterday to the Wall Street Journal's online edition that engineers had written a backdoor into some of the company's Internet software containing a password phrase calling rival Netscape Communications Corp. "weenies."
The threat, uncovered by two security experts, seemed more serious than it turns out to be when it first was identified yesterday. It had seemed that the backdoor could be used by hackers to access Web-site management files that could lead to customer credit-card numbers and other information on many major Web sites. But the threat is much smaller than initially feared.
"It's a very small problem. It affects very few people," said Russ Cooper of Lindsay, Ontario, who owns and moderates the NT Bugtraq Internet discussion forum. He was not one of the security experts to identify the backdoor, but Cooper has been in touch with Microsoft regarding the matter, and although he at first thought it was a thornier problem than it actually is, he said information gathered yesterday clarified the extent of the problem.
"It's a threat," he noted. "It's a valid threat. The fact is that somebody could get something they shouldn't get." However, he added, only a limited number of Web servers are threatened.
Initially, it was thought that any Web site using Frontpage 98 extensions was vulnerable, but that has proved untrue. Instead, the backdoor is a problem for Web sites that installed anything from the 4.0 option kit for the Microsoft NT 4.0 server software. The backdoor isn't an issue for sites using Windows 98 or Windows 2000, nor is it an issue at sites that installed software straight from the NT 4.0 CD, Cooper said.
Moreover, it affects only those sites that use Visual InterDev 1.0, and that application is now in release 7.0. It is used to link information from active-server-page Web sites, Cooper said. Beyond that, the backdoor can be exploited only by users with Web-authoring permission at a particular Web site.
Such users could possibly manipulate an active server page (those containing the ".asp" extension) but because they need a valid user name and password for Web-authoring access, their actions could be tracked, Cooper said.
So, the threat, while real, contains "caveat after caveat after caveat," as it turns out, he said.
Customers can eliminate the threat by deleting the computer file "dvwssr.dll" from the affected software. That's the file that contains the backdoor "weenie" code.
Microsoft, in Redmond, Washington, can be reached at +1-425-882-8080 or http://www.microsoft.com/.NT BugTraq is at http://www.bugtraq.com/.