Borland InterBase backdoor detected

An intruder can reportedly use a secret password to enter an InterBase system and alter data, according to a new security advisory.

Borland's InterBase database software contains a "back door" that allows anyone with the appropriate password to wreak major havoc with the database and the computer it's running on, security experts said.

A back door is an undocumented way to get access to a computer system, typically using a secret password. In this case, the back door lets an attacker change the information stored in an InterBase database and insert programs that could enable even more damaging actions, according to an advisory posted Wednesday by the Computer Emergency Response Team.

The username and password--"politically" and "correct," respectively--are written into the program, easy to find, and can't be removed by changing settings, CERT said.

"It's definitely very severe," said analyst Ben Greenbaum. "Anyone running one of these servers and not reading security resources will remain wide open" to attack, he said.

Borland acknowledged the back door and has begun releasing patches. The company has notified customers and sales partners and will begin shipping repaired versions this week, said Jon Arthur, director of the InterBase project for Borland. The problem exists in versions 4, 5 and 6 of InterBase.

InterBase, which runs on Windows, Linux and a variety of Unix versions, is used by Motorola, Nokia, Boeing and the Boston Stock Exchange, Arthur confirmed. In addition, Cobalt Networks, now part of Sun Microsystems, ships InterBase on its special-purpose servers.

Back-door vulnerabilities are a serious problem because of how open they leave a computer to attack. Internet Security Systems, a security software and consulting company, has recorded four back-door vulnerabilities in recent months, said analyst Chris Rouland.

The back-door feature was an innocent addition to the code in 1994 that enabled one part of the database software to communicate with another password-protected part, said Jim Starkey, who launched InterBase but left in 1991 before the back door was added to the software. Starkey, though not a Borland employee, still works with InterBase, as does his wife, Ann Harrison, who runs an InterBase support company called IBPhoenix.

Borland released the InterBase program as open-source software in July, meaning that anyone may scrutinize the software, modify it and redistribute it. In fact, two such projects exist: the open-source InterBase and Firebird. Both the open-source versions are vulnerable to the back door, CERT said.

Programmer Frank Schlottman-Godde from the open-source Firebird project discovered the vulnerability Dec. 18, said Starkey and IBPhoenix, which develops and supports the Firebird version.

"Firebird administrators exchanged panic emails across the globe for some hours," said programmer site InterBase Developer Initiative. The project stopped the planned release of Firebird and fixed its own software.

The problem illustrates the double-edged sword of open-source software regarding security. On the good side is the fact that so many more programmers can scrutinize the software and find such problems--exactly what happened with InterBase. Many open-source advocates list this openness as a major advantage over closed, proprietary software such as the kind Microsoft distributes. Who knows what nefarious code lies within the millions of lines of Windows programming code, they ask.

On the other hand, it can be easier for a malicious programmer to find vulnerabilities. This particular back door has existed since 1994, and nothing was preventing a malicious programmer from finding it in the last six months.

Another advantage to open-source software is that people, if skilled enough, can fix problems themselves instead of waiting for a company to release a software patch. But that can be a problem. Borland cautions that applying patches that don't come from Borland voids the company's warranty.

Though speedy repair is a benefit of the open-source world, lack of formal support can be a problem, Rouland said. For example, it often requires a lot of programming expertise to apply a patch.

"Open source advances the technology quickly and gets patches out quickly, but you have to have gurus on staff," Rouland said.