MS admits planting secret password

The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as-yet-unidentified employees.

The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft (msft) urged customers to delete the computer file--called "dvwssr.dll"--containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.

While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password.

Two security experts discovered the rogue computer code -- part of which was the denigrating comment "Netscape engineers are weenies!" -- buried within the 3-year-old piece of software. It was apparently written by a Microsoft employee near the peak of the hard-fought wars between Netscape Communications Corp. and Microsoft over their versions of Internet-browser software. Netscape later was acquired by America Online Inc.

One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy." Despite his unusual moniker, he is highly regarded by experts and helped publicize a serious flaw in Microsoft's Internet-server software last summer that put hundreds of high-profile Web sites at risk of intrusion.

Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider."

"It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly.

In an e-mail to Microsoft earlier Thursday, Rain Forest Puppy complained that the affected code threatened to "improve a hacker's experience." Experts said the risk was greatest at commercial Internet-hosting providers, which maintain hundreds or thousands of separate Web sites for different organizations.

Lipner said the problem doesn't affect Internet servers running Windows 2000 or the latest version of its server extensions included in Frontpage 2000.

The digital gaffe initially was discovered by a Europe-based employee of ClientLogic Corp. (www.clientlogic.com) of Nashville, Tenn., which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee.

When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry."