MS security flaw called 'pinhole'

Microsoft retracts statements that the so-called 'Weenie' security hole is actually a backdoor

Call it the case of the disappearing security hole.

Initial reports of a "back door" in Microsoft's FrontPage server software -- a deliberate security hole put in to allow illicit access -- now seem to be, for the most part, incorrect.

While Microsoft admits that a security flaw does indeed plague a software module in its Web server product, the giant software company contradicted statements by one of its managers confirming the existence of a back door with the pass phrase "Netscape engineers are weenies!"

"Microsoft now has all the information, and we confirm there is a vulnerability in the product," said Microsoft spokeswoman Luisa Vacca. "But it is a really, really miniscule vulnerability. In no way is it a back door in the product."

"It's a pinhole," she said.

Russ Cooper, editor of Microsoft-software security site NTBugTraq, stressed, however, that Web site hosting services could be affected by the bug and said the hosting services should quickly fix it. "This is a hole that could allow information to be manipulated by others," Cooper wrote on the NTBugTraq Web site. "However, it's limited to 'others' who already have Web authoring permissions on the same box."

That could mean overtime for administrators at Web hosting sites like GeoCities and Tripod, but it refutes a Wall Street Journal report that called the security flaw a "back door" that would give attackers easy access to others' Web sites.

How it works Instead of a back door, the security hole is just that -- a bug in a dynamic link library, or DLL, file known as "dvwssr.dll" that allows access to a Web site's active server pages and applications. The file is provided by Microsoft to support Visual Interdev 1.0, an older and rarely used application that helps Webmasters track broken links.

However, the file is part of the default installation of Web servers using NT 4.0 and Microsoft's Internet Information Service software, making it fairly common. "It breaks the absolute wall between Web sites on a shared server," said Steve Lipner, manager of Microsoft's security response centre. "But you can't see anything that you're not authorised to by the access controllers."

By far the most interesting aspect of the flawed DLL is that it also contained a phrase deriding Netscape engineers.

Reports focused on a phrase -- "!seineew era sreenigne epacsteN" -- the backwards spelling of "Netscape engineers are weenies!" But NTBugTraq's Cooper and Microsoft both stressed that the phrase is not a password but a cypher key used to scramble the address of Web pages requested by users.

"'Netscape engineers are weenies!' was a dumb thing to put in there," Cooper said. "But if we took a dictionary cracker and went over Sun's code, we would find the same sorts of things."

Microsoft employees' own admissions didn't help the controversy. Lipner himself confirmed initial reports of the back door, according to the Wall Street Journal. "Some of the initial coverage was based on our preliminary analysis," Lipner said of speculation that sensitive data could be exposed. "The initial scare is pretty overblown."

Reuters contributed to this report.

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Hackers News Special