Microsoft: Striking out in security?

For a company that prides itself on the quality of its software development prowess, Microsoft has encountered a rough patch of late, racking up two security holes as well as committing a major faux pas in the space of less than a week.

One of the security holes could allow an attacker access to pages on a Web hosting service. The other hole could enable malicious code to be run. All the while, a message in the code crowed that "Netscape engineers are weenies!"

If ever there was an incident demonstrating a need for companies to pay more attention to the code they ship, this was it, according to Elias Levy, chief technology officer for security information site SecurityFocus.com. "This is definitely something that should concern people," he said.

On Friday, Microsoft successively revised a bulletin outlining the security flaws. After publishing the bulletin, Microsoft said it subsequently learned of a new, separate vulnerability that increased the threat to users.

Strike One: "Netscape ... weenies!"

By far, the most interesting aspect of the flawed DLL is that it also contained a phrase deriding Netscape engineers. Specifically, the not-so-hidden phrase said "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!"

Initially, the Wall Street Journal reported that the phrase opened up a "backdoor" -- a deliberate hole in security put in to allow illicit access -- in servers running Microsoft software.

While Microsoft admits that two security flaws do indeed mar a software module in its Web server product, the software giant retracted earlier statements confirming the existence of a cyberbackdoor.

Russ Cooper, editor of Windows-NT security watcher NTBugTraq, stressed that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users.

"'Netscape engineers are weenies!' was a dumb thing to put in there," said Cooper. "But if we took a dictionary cracker and went over Sun's code, we would find the same sorts of things."

Microsoft employees' own admissions didn't help the controversy.

Steve Lipner, manager of Microsoft's security response centre, confirmed initial reports of the backdoor, according to the Wall Street Journal. "Some of the initial coverage was based on our preliminary analysis," Lipner said of speculation that sensitive data could be exposed. "The initial scare is pretty overblown."

Strike Two: Link-View flaw

On top of the developer humour in the "weenie" put down, Microsoft initially admitted that a bug -- not a backdoor -- existed.

The bug is in a dynamic link library, or DLL, file known as dvwssr.dll that allows access to a Web site's active server pages and applications. The file is provided by Microsoft to support Visual Interdev 1.0, an older -- and rarely used -- application that helps webmasters track broken links.

However, the file is part of the default installation of Web servers using NT 4.0 and Microsoft's Internet Information Service software, making it fairly common.

For the most part, the bug only affects Web-site hosting services, and only after an attacker gets Web authoring access on the servers.

NTBugTraq's Cooper, who said such services could be affected by the bug, recommended users delete the DLL to plug the hole. He said the hole could allow information to be manipulated by others who already have Web authoring permission on that particular server.

Strike Three: Buffer Overflow

Late Friday, a Buenos Aires, Argentina-based security firm trying to confirm the original bug found another -- potentially more serious -- flaw.

"I started looking at that .DLL because there was much controversy about the 'weenie' issue -- I wanted to clarify it definitely," wrote Gerardo Richarte, research and development engineer for CoreLabs, in an e-mail interview with ZDNet News.

The flaw is a so-called "buffer overrun" error, which causes the target machine to essentially become confused whenever it's fed too much data. Microsoft confirmed that the hole can be exploited to give attackers access to a server that uses the DLL.

That could be bad for Web-hosting services, said Richarte. "The flaw poses a serious risk to organisations providing hosting services, as any of its customers could get complete control of the server machine," he said.

Easy solution

Despite the dire warning, the problem is easy to solve: Delete the file dvwssr.dll, said Microsoft's Lipner, who added that a patch will not be released.

"Deleting the DLL is a workaround," he said.

Will Lipner have to face such an error in the future?

"I don't think so. It's a five year old piece of code," he said. "It was written about the time that the usage of the Internet was becoming widespread or common. You could view this as sort of an antique."

What do you think? Tell the Mailroom. And read what others have said.