×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Admits To Backdoor In IIS [updated]

timothy posted more than 12 years ago | from the but-open-source-cannot-be-trusted dept.

Microsoft 236

Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

236 comments

I disapprove of this. (1)

Anonymous Coward | more than 12 years ago | (#223293)

I would recommend the installation of Apache server in lieu of IIS.

Apache, on the Internet's World-Wide-Web network at hypertext transfer protocol site www.apache.org, is the world's most popular Internet server for World-Wide Web services. Internet Information Services, on the other hand, is not. I have published additional guides on the subject, which can be purchased for $19.95 each.

Re:What is this password? (1)

Anonymous Coward | more than 12 years ago | (#223294)

linuxcodersareweenies

It's the admission (1)

Anonymous Coward | more than 12 years ago | (#223295)

We have all known about the back door for a while, but the date encoded in the URL is 2001 05 14. I can only presume that it's taken this long for Microsoft to admit to the backdoor. Admission is good. MS did the right thing, a year or so late!

Microsofties make better lovers (3)

Anonymous Coward | more than 12 years ago | (#223297)

because they're experienced at going down several times a night.

Re:code review (2)

torpor (458) | more than 12 years ago | (#223298)

Code reviews on a team basis are one thing, as are the inevitable bugs that slip through the cracks in this environment.

Backdoors which have been specifically placed there *by design*, as an implementation of corporate policy regarding control and access to 'fielded products', is another thing entirely.

Your company - Microsoft - has a particularly bad habit when it comes to shifty, underhanded policies such as this backdoor situation, and therefore it's not unreasonable to expect that the community at large raise alarm torches when holes such as this are discovered.

I don't disagree with you that security by peer review has its flaws.

But then, so does Microsofts' aggressive predatory business practices.

Re:What is this password? (2)

Xenophon Fenderson, (1469) | more than 12 years ago | (#223299)

That's amazing! I've got the same combination on my luggage.


Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16

Okay... (1)

tzanger (1575) | more than 12 years ago | (#223300)

So they gave us the DLL with the offending code. I've not looked to see how big the DLL is but wouldn't it be pretty straightforward to locate the backdoor password now?

Re:code review (2)

Jason Earl (1894) | more than 12 years ago | (#223301)

The fact of the matter is that, short of releasing source code, there is no way that your customers can be sure that there aren't any backdoors. For example, it would be much easier for your Dev team to insert a method called PayEntireDevTeam() than for one member to insert the mythical PayTim() method. For Tim to get away with the insertion of his method he would have to be more clever than all of the reviewers. But if all of the auditors were in on the backdoor then there is no defense.

I would like to think that Microsoft would be trustworthy on this account. But this is the same company that released a spreadsheet that doubled as a flight simulator. Quite frankly, I doubt that a whole lot of auditing actually occurs. And if you can convince a group of Microsoft employees that a flight simulator is an important feature of a spreadsheet, then inserting a backdoor should be child's play.

No. It is NOT perfect! (1)

Chas (5144) | more than 12 years ago | (#223310)

Okay, as much as I hate MS products and their lack of options, the revelation of this back door is NOT perfect.

It means that there's a bunch of poor bastards out there who're going to get their systems trashed because they believed in Microsoft.

Yes. This may be a wicked little ego boost to the mindless OSS boosters. But to everyone else, it's a pain in the ass and potentially VERY damaging to some people's sites/businesses.

So gloating to the point of calling this "perfect" is WAY off-base. And, frankly, I'd expected a little more from you guys.


Chas - The one, the only.
THANK GOD!!!

Re:Back Door? (2)

ethereal (13958) | more than 12 years ago | (#223321)

On the contrary, that's the first time that link's been on-topic in quite a while.

Caution: contents may be quarrelsome and meticulous!

MY lord (1)

siberian (14177) | more than 12 years ago | (#223324)

Last week it was the IIS overflow bug, now its a low level password left behind. I love showing this stuff to potential clients, it always swings them from competitors to our lovely web farm...

Re:What I find alarming... (2)

HiThere (15173) | more than 12 years ago | (#223328)

I'm not sure why they insisted on removing that kind of comment. It's lots of work, and though the comment isn't ideally informative, it's sure better than no comment at all.

Perhaps many of their coders were under 18, and wouldnt' be allowed to look at the code?

Caution: Now approaching the (technological) singularity.

Re:Does illustrate the advantage of Open Source (2)

TWR (16835) | more than 12 years ago | (#223332)

You misunderstand Ken Thompson. In fact, he's proving the point about Microsoft's closed software. He is pointing out that you cannot trust one source for all of your software. The compiler and the telnet daemon were both written by the same person, and he put in the back door in both.

MS selling you the OS, the compiler, the web server, the mail server, the database, the office applications...it's a very dangerous situation if your company takes its privacy seriously. Combine that with Microsoft Passport and Hailstorm and you'd have to be either psychotic or stupid (possibly both) to use .NET.

-jon

Does illustrate the advantage of Open Source (4)

Badgerman (19207) | more than 12 years ago | (#223339)

All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:

Security.

Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.

Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.

Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.

Is it just FrontPage? (1)

The Cat (19816) | more than 12 years ago | (#223340)

Is this dll only included with the FrontPage extensions, or is it part of IIS normally? Frankly, I've never been a big fan of the whole "FrontPage" system, the program or the "extensions."

As far as I can tell, FrontPage extensions make as big a mess out of a web server as FrontPage itself makes out of its HTML. :)

should have known (1)

cruelworld (21187) | more than 12 years ago | (#223342)

If anyone manages to get their hands on Bill Gates laptop his screensaver password is "netscapesuxs"

Hrm.. (1)

arkham6 (24514) | more than 12 years ago | (#223344)

I guess this blows the 'More secure than linux out of the box' concept out of the water.

Because we went through this last year (3)

SEWilco (27983) | more than 12 years ago | (#223345)

Actually, the URL of the Yahoo article includes "20010514". Today's date is 2001/05/14. Apparently it's new news at Yahoo.

The only date in the article or within the HTML is "Last Thursday", the same phrasing in the 2000/04/14 WSJ article. Microsoft's information is within this modified security bulletin [microsoft.com].

What it will take. (3)

powerlord (28156) | more than 12 years ago | (#223349)

I hate to say it, but what it will take is something truly vindictive. A worm on the scale of the ILOVEYOU virus, but with a truly destructive payload. The ILOVEYOU virus wasn't that destructive to most people. It targeted MP3s, and several Media files. Neat, okay. But it still left your computer usable.

Imagine a virus on this scale that does the following:

1) replicate itself through either e-mail attachment, or by forwarding a random encoded name (cut/paste algorythm from mailbox? past message with a "I'm not sure I sent you this" + Subject, replacing a link within the message for a poisened website/ftp site.

2) wipe all network attached drives

3) enter commands in the registries "RunOnce" section to remove the system files on the next reboot (these can only be done prior to their being loaded, otherwise the system tends to be persnickety about it). Don't forget things like the CMD/COMMAND shell.

4) (optional) attempt a remote access/infect of all machines within a given IP range (defined by SubnetMask?).

5) If you are using step 4 then move step 1 to here so recently hacked/poisoned web/ftp sites can be inserted into mail message preventing stagnation of link. For extra credit have the virus self-modify to include a running list of where its been (or what sites its tried to help cut down on duplicated effort. Short run log might also help trace back to source so the IP addresses should be normalized/sorted, not appended to the end. This will also help in updating the list as the worm moves).

6) You've done all the mischief you can. Now reboot the system to truly FSCK the end user.

This is just a broad outline, but seriously.
If this sort of thing happened, the results would be two-fold.

1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault.

2) Less Likely: (but wishful) People might realize how security is iterative and valuable. It is much more tangeble than the social contract most of us assume it to be. We figure, "we're not worth it", or , "who would bother me?" and joke about security, but your average end user doesn't really care (ask the same person about 'air-bags' and see how much they do care if they feel vulnerable).

With the days of standard, High speed access in the homes, the scenario I outlined above is all to real and all too close to happening.

I guess this probably won't make much of a difference in MSFT server sales... unless the payloads are consistantly delivered via an MSFT server (or else the virus specifically targets MSFT servers by using some central warehouse of net accessable MSFT servers, like say netcraft).

P.S. I do not encourage AT ALL making the above virus. I think it would be a mallicious piece of garbage and would be the first on line to string the writer up by their anatomy. On the other hand I doubt I'm the first to think of this sort of thing so I have only slight quams about writing it down (the more who are concerned about it, the less likely it will come to pass), and there would (still) be major technical obsticles to be overcome, for a virus of this type to be created and released.

New or Old? (5)

powerlord (28156) | more than 12 years ago | (#223350)

Judging by the content (sparse that it is) " Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software", it seems like this might just be a rehash of the old NetscapeEngineersSuck (reversed) (or whatever the string actually was).

While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).

On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC [ciac.org]) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else :) in an ISAPI extension for submitting/controling print jobs via HTTP that is enabled by default.

In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here [microsoft.com]. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.

One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?

Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.

Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.

Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.

Re:Cisco (4)

MadAhab (40080) | more than 12 years ago | (#223357)

Funny. But stupid. If someone can get in with a backdoor password, how are you supposed to keep anyone out?

The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:April 2000 (2)

anticypher (48312) | more than 12 years ago | (#223363)

First thing to my mind was someone has re-discovered "!seineew era sreenigne epacsteN" all over again. The lack of a date stamp leads me to believe someone has hoaxed the slashdot submission queue (again). There is also something fishy about that http://smallbusiness.yahoo.com/entrepreneur.html URL, there's nothing under that tree except the standard banner/skyscraper ads.

The only other reasonable assumption is that M$ has finally admitted, 13 months after the shitstorm, that they did indeed have an exploitable backdoor in IIS. The last statements I heard, during the shitstorm of april 2000, was that the string existed but couldn't lead to any compromise. Perhaps M$ has now tortured a confession out of the engineers and realised there is a backdoor. But the mention of dvwssr.dll ties this into last years fiasco.

Most likely is that this is a glitch story accidentally reposted by a yahoo editor. Only time, and maybe a slashback, will tell.

the AC

Re:code review (2)

Hard_Code (49548) | more than 12 years ago | (#223364)

Through the net it's easier to have "code reviews" because any body can review somebody else's code without having ever to meet that person face to face, and many times without even corresponding directly with them. Having a "physical" code review on the other hand, has the effect of putting people on their guard, and inhibiting critiques they might otherwise have.

I wonder how to solve this. Perhaps make a "game" of code reviews...people who contribute get "points"...or other people can "vote up" contributions. Perhaps something like this. This way, ego sort of gets put on the shelf, because you're not really attacking the person sitting opposite of you, you're just "gaining points". I don't know if this would work in reality...but code reviews are almost universally dreaded, even though they should probably be practiced much more often.

Microsofts actual fault (1)

AnalogBoy (51094) | more than 12 years ago | (#223366)

MS's actual failure here is their QA and legal staff. Think logically. Microsoft would never, ever release software that intentionally had a security hole in it. Yes, there are bugs in and out. Yes, there are [accused] NSA Backdoors. HOWEVER, planting a LEGIT hole in software is like beating on the doorway to the DOJ screaming "TAKE ME NOW!". AntiTrust suit aside, this has no abiguity. Microsoft, purposefully sticking a backdoor in their software and keeping it hidden from their customers, seems to me to be 100% illegal

It then makes no sense for MS to let this pass. The financial reprecussions are severe. As i stated above, QA should have caught this. So, if anything, microsofts development methodology, and NOT its legal practices are likely to blame in this case.

Disclaimer: Yes, i know posting a microsoft-postive message on Slashdot is begging for a (-1, Flamebait) rating. If the idea to mod me down has crossed your mind, congratulations, you're a bigot.

Re:Predicted comment breakdown for this article: (2)

AnalogBoy (51094) | more than 12 years ago | (#223367)

One day i will follow my dream of becoming a master in the field of psycology, and then, between meaningful activities i'll sit down and write a theory on how the collective open-source mind of slashdot operates. and somehow, i think the results of the personality breakdown will be similar to what you just posted.

I calculate about another 2 years until slashdot degrades to the point where a empty story will be posted stating "Microsoft Sucks". CmdrTaco will implement a filter which uses advanced nerual net filtering to decide if a post is pro microsoft, and the post will immediately get rated at the new, (-5, idiot) level. Any pro-linux post will get +5. Truly insightful posters will move onto some new forum. Of course, the trolls will split into two groups, both somehow equally as annoying as before. Shortly thereafter, a singularity will form above RedHat's HQ and suck in all things open-source, As Bob Young rips off his face mask (a-la MI:2) to reveal... Bill Gates.

To quote the book of Sith, passage 30:23, "And the dark lord sayeth, Strike out at me, and become me, for truely I am thyself, with a more menacing outfit."

Corporate culture anybody? (1)

mojotooth (53330) | more than 12 years ago | (#223368)

I hope nobody's buying this whole "It's against our corporate policies but somehow this backdoor got in here anyway."

I don't fall for that in a second. SOMEBODY told somebody to put that backdoor in there. And even if not, SOMEBODY had to decide that somebody wanted that backdoor in there.

In either case, it's just an example of a group of designers who expect their superiors to support this kind of "feature."

This is probably one of the best reasons to use an open-source application I've ever heard.

Too Late for Some (2)

Milican (58140) | more than 12 years ago | (#223369)

Well its too late for my friend Daniel. He is running 2000 with IIS and his site [danielhankins.net] was already hacked. A reactive position like Micrsofts is not a very good solution. Yes, Daniel should have been running Apache on Linux (like me) and since this was a personal site he didn't loose too much, but backdoor passwords are simply retarded in this day and age. Microsoft should know better.

JOhn

code review (1)

konstant (63560) | more than 12 years ago | (#223371)

For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.

Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. Its keeps the honest honest.

Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.

-konstant
Yes! We are all individuals! I'm not!

code review (5)

konstant (63560) | more than 12 years ago | (#223372)

For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.

Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.

Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.

-konstant
Yes! We are all individuals! I'm not!

Let us not forget the NSA backdoor theory (4)

joq (63625) | more than 12 years ago | (#223373)

Analysis By People We Trust II: Bruce Schneier

from: sci.crypt
subject: NSA and MS windows

A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.

Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.

Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.


Last Thursday? (3)

z4ce (67861) | more than 12 years ago | (#223376)

Which last Thursday would that be? This [saclug.org] last Thursday? How about this [zdnet.com] last Thursday? Nice one yahoo... post [yahoo.com] an article from April 2000 in May 2001. I bet microsoft will be angry as heck. And they deserve to be, this seems like plain libel to me.

Re:April 2000 (4)

phutureboy (70690) | more than 12 years ago | (#223378)

Actually, the story's URL contains the string "articles/20010514/microsoft_ackno" which suggests that the article is from today, 2001-05-14.

I couldn't find a link to it on the main story index though.

--

DLL naming convention (5)

scoove (71173) | more than 12 years ago | (#223379)

Gosh, where could they have come up with a name like dvwssr.dll?


MEMORANDUM
TO: BILL GATES
FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
OPERATING SYSTEM REMOTE CONTROL TEAM

Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.

DIR. SECRET SERVICE

p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.


and thanks to FOII... (5)

scoove (71173) | more than 12 years ago | (#223380)

we bring you this previously secret Microsoft response to the Secret Service's request:


MEMORANDUM
TO: BRIAN STAFFORD
FR: STEVE

Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.

Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.

Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.

Give me a call sometime!

The Big Ball


Weenies! (1)

CMU_Nort (73700) | more than 12 years ago | (#223381)


Isn't this just the "Netscape Engineers are Weenies" backwords backdoor? I assumed that and when I saw the name of the dll it was confirmed. Bad Yahoo! Bad! Go stand in the corner!

Re:April 2000 (2)

selectspec (74651) | more than 12 years ago | (#223382)

It's humorous how pathetic the technical reporting is on the Yahoo/CNET/WSJ/NYTIMES/etc. These guys need to stick to the "just the facts" reporting instead of their "editorial" deductions.

Re:Back Door? (3)

quigonn (80360) | more than 12 years ago | (#223384)

And what's worst: they don't have a single backdoor, they have a whole backoffice!

Re:Should be fined (1)

VB (82433) | more than 12 years ago | (#223385)

I'm going to be spending the rest of the day patching!

About 2 hours. I don't believe any give the choice to not reboot, either.

Linux rocks!!! www.dedserius.com [dedserius.com]

This news does not surprise me... (3)

stevens (84346) | more than 12 years ago | (#223387)

...but the reaction to it will surprise me. I expect it, and it will still surprise me: I predict this makes absolutely no dent in MSFT server sales.

You see, I think that most of the people who could learn from this sort of thing have already learned several times over.

I don't know what sort of catastrophe it will take for the rest of these people to learn...

Re:Back Door? (2)

fanatic (86657) | more than 12 years ago | (#223388)

Someone please moderate this asswipe to some nether region - this is a goatse.cx link.

--

Re:Too Late for Some (4)

Greyfox (87712) | more than 12 years ago | (#223393)

Well then he should sue them. After all, when you're dealing with a commercial company, you actually have someone to sue, unlike open source software. Isn't that right?

God I'd like to put a bullet in the head of that particular piece of FUD once and for all...

What's Amazing about this and what's not... (3)

BierGuzzl (92635) | more than 12 years ago | (#223398)

What we all should _really_ be amazed about is that Microsoft is actually getting around to admitting to this. An IIS backdoor is really not that surprising of a thing on it's own. The only difference between a regular IIS bug and a IIS backdoor is that one was put there on purpose and the other was left there through carelessness.

"Better security out of the box than Linux" (5)

BierGuzzl (92635) | more than 12 years ago | (#223399)

I'm guessing that we mean before it's inserted into the cdrom drive.

U$oft spin doctors (2)

katarn (110199) | more than 12 years ago | (#223406)

U$oft spin doctors

How does Microsoft's PR people pull this off? The article attempts to
shift the blame by pointing that out the code was "written during the
dispute between Netscape and Microsoft over their versions of
Internet-browser software." When other companies have software holes
found, the media holds the manufacture firmly and ultimately
responsible, even if it was a disgruntled employee. But with when
talking about this Microsoft hole, the article goes way out of it's way
to make hints at subtle this dubious detail in an apparent attempt to
shift the blame. Sure, it COULD have had something to do with the
browser wars. But it could have just as easily been general
anti-Microsoft sentiment. Or someone putting it in for their own
personal gain. Or someone just being a smart ass. Again, when other
companies have security breaches, no one goes "Awww, poor foobar.com,
you're bugs are okay because people are picking on you". No, they rip
the company a new ass hole and their stock takes a dive.

Will this really change anything, though? (2)

DrEldarion (114072) | more than 12 years ago | (#223408)

Sure, it's big news that they've admitted to it, but will anything really change? As someone has already noted, this is actually a story from back in April. There has been no outburst so far(except for the Anti-Microsoft-But-I-Don't-Know-Why people who will soon flood this thread).

The world is too dependent on Microsoft, and Microsoft is too good at lying for this to really make any difference. If they did indeed put it in on purpose, all they have to say is that the programmers did it on their own and they had nothing to do with it... and only those programmers had access, so it doesn't really mean much. See how easy that is? Now imagine professional lawyers going over that and making it sound as confusing and convincing as possible.

This is not the end of Microsoft. Not even close. Their attitude about it is probably, "'Eh, whatever. Shit happens." They're still going to continue to rake in the dough, and the world will continue on like nothing has happened.

The only difference is that the Anti-MS crew has more anti-MS ammunition now (not that anyone will really listen to them about it, though.)

-- Dr. Eldarion --

Back Door? (2)

Ronin X (121414) | more than 12 years ago | (#223413)

Microsoft has been bending people over and 'entering through a backdoor' for years now...

Obligatory Outlook joke (1)

vanza (125693) | more than 12 years ago | (#223414)

The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin...

which will automagically install a patch when read with Microsoft® Outlook®.


--
Marcelo Vanzin

ASAP? (1)

ahknight (128958) | more than 12 years ago | (#223417)

ASAP would have been when they installed the backdoor...

Kind of sad, really. MS wants people to see them as an enterprise solutions company, as a big player, as a "leader" in security, so of course they have a backdoor into their IIS systems.

Kind of sickens the stomach to see these folks even close to winning the server market. (shiver)

Foreign governments use... (1)

Stoutlimb (143245) | more than 12 years ago | (#223424)

Windows?

I just wonder which agencies of the USA government knew about these back doors for years, and which ones are not yet revealed.

Any non USA government using windows has to be plain mad.

But why? (2)

don_carnage (145494) | more than 12 years ago | (#223425)

The article notes: "Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software."

So they put the code in there to...what? Check up on servers to see if they were running non-M$ extensions or packages? It just sounds a little odd to put a back door into a webserver for reasons of a dispute.


--

Who are the "security experts"? (5)

VSarkiss (173815) | more than 12 years ago | (#223435)

Does anyone khow who the "two security experts" are that the article refers to? Where they work, how they found it, etc.?

I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.

Search: microsoft iis security hole
Search returned 745 documents

The song remains the same (2)

isomeme (177414) | more than 12 years ago | (#223440)

You know, for some reason I suspect that the new backdoor password contains the strings "taH deR" and seineew [evangel.edu].

--

Should be fined (1)

Nos. (179609) | more than 12 years ago | (#223441)

Micrsoft should be fined, or punished in some way for this. Anyplace they say that IIS is more secure, has just been proven false. I mean how can any software be considered more secure than anything if it contains a backdoor! For example, the linked article in the post says Windows is more secure out of the box. Well, Win2K Advanced Server installs IIS by default (not sure about Front Page extensions though). Therefore, it is definitely NOT more secure.

The sad thing is, this probably won't affect sales of MS products one bit. Those who weren't informed, will probably miss this bit, or downplay its importance. I know I'm supposed to be migrating our web server from NT4.0 and IIS to Win2K and IIS 5.0, but even if I brought this article to my boss, he'd downplay the importance. He'd bring up that at a regional level we're not supposed to install Linux, of course we're not supposed to intall Win2K servers either, but that doesn't seem to matter.

Re:Should be fined (2)

Nos. (179609) | more than 12 years ago | (#223443)

Quick notes: I'm installing Server, not advanced. As with any install, you go check for updates, well, for 2000 Server, since June 6/2000, there are 31 critical updates for Windows 2000 Server, not including SP1. That's a little less than 1 per week. I'm going to be spending the rest of the day patching!

This is what passes for secure these days?

Trust (2)

Alien54 (180860) | more than 12 years ago | (#223444)

Of Course, We should all trust Micorosft. Microsoft knows the value of customer trust.

Except, of course, when they make a mistake, or mis-speak, or omit certain details, or just out right lie.

Doesn't that seem to be happening uncomfortably often?

It is one thing to get control of a market by various hardball marketing tactics.

It is another to gain a market because of trust.

Check out the Vinny the Vampire [eplugz.com] comic strip

Let's be fair (3)

DeadVulcan (182139) | more than 12 years ago | (#223446)

Now, let's be fair. If you don't care about the open/free software philosophy (and just for the record, I do), and security is really the only thing we're arguing here, then the real questions are: when was this backdoor introduced, when was it discovered, and how soon will there be a patch?

The article mentions nothing in this regard, and doesn't warrant the comment, "Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet."

I can't see how this incident favours one side of the argument over the other, until we have more information about the circumstances.

--

What I find alarming... (3)

mizhi (186984) | more than 12 years ago | (#223447)


Is not the security hole... we all know M$ considers security matters a complete joke. People are at their mercy as to when to release fixes, if at all.

What raises a red flag with me is that the wording of the article indicates the password backdoor was put there intentionally... and we're supposed to trust M$ with our valuable and oftentimes, priceless data?

"Against our policy"... right. To hell with them.

Re:April 2000 (1)

MacGabhain (198888) | more than 12 years ago | (#223450)

They did include a date stamp. It's in the URL - 20010514, today. While you may be right, don't assume that a Microsoft security hole isn't there just because there was reported to be a similar one a year ago. (Again, you may be right, that it's just Yahoo being yahoos, but I don't see any reason to assume that there isn't another - real this time - backdoor just because there was a false alarm 13 months ago.)

Ethics and Computing (2)

InfoSec (208475) | more than 12 years ago | (#223454)

I'm a CISSP [isc2.org] and I have been bound to an ethical agreement that I cannot perform any illegal or shady activities in the computer industry. My concern is, that Microsoft and other companies seem to be bound by no such agreements either by their own internal policies or by their customers. Isn't it about time that Microsoft was made to be responsible for their security?? Shouldn't customers demain some kind of responsibility from Microsoft and others?
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

"Microsoft" "backdoor" (3)

Hairy_Potter (219096) | more than 12 years ago | (#223458)

boy, this screams for a disgusting trollish gif or jpeg, but for the life of me I can't think of one.

The fact remains... (2)

Mytzle (238134) | more than 12 years ago | (#223463)

I work for one of the largest computer/technology companies in the world. When I suggest that we move just OUR servers (my team/division) to something like Apache, you should hear the crap I get. My manager dismisses it out of hand, an why? Because no one can buck corporate policy. Or no one will. Until People stop being scared of better alternatives just because it's "not what we use" then these problems will continue. So sad.

Bill Gates' Network Neighborhood (4)

AlgUSF (238240) | more than 12 years ago | (#223464)

I wouldn't be suprised if when Bill Gates clicks on his network neighborhood icon, every windows machine on the internet comes up with full access... :-)

I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.



Does Open Source do Better? (1)

iCharles (242580) | more than 12 years ago | (#223465)

OK, let's say I use open source. How do I know there isn't a back door? I could, if I had the expertise and the time, go through every line of code, and verify that none of the 69,000 developers working on it didn't put a backdoor in. I dare say in most situations, that is impractical. It means that even the smallest installation requires someone with some knowledge of OS development and C code.

With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

On the other hand, Open Source does, at least, give you the option of checking it out. I suppose neither side has an advantage.

Does Open Source do Better? (4)

iCharles (242580) | more than 12 years ago | (#223467)

OK, let's say I use open source. How do I know there isn't a back door? I could, if I had the expertise and the time, go through every line of code, and verify that none of the 69,000 developers working on it didn't put a backdoor in. I dare say in most situations, that is impractical. It means that even the smallest installation requires someone with some knowledge of OS development and C code.

With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

Re:April 2000 (3)

valentyn (248783) | more than 12 years ago | (#223469)

There is a date/time stamp on the Yahoo story, and it's just what it looks like: May 14, 2001. The Slashdot crew is not to blame here: Yahoo! Small Business, Technology section [yahoo.com] made it a feature today. The link to entrepreneur.com that Yahoo has, has no references to this story. It seems Yahoo! is at fault here.

V.

Re:code review (1)

raju1kabir (251972) | more than 12 years ago | (#223472)

if you read the article, it states that microsoft has stated publically that the code was not there as "an implementation of corporate policy", but rather, produced by some engineers on their own during the netscape vs. microsoft times. i don't like microsoft either, but it's not as if this was some massive conspiracy by microsoft

Happy birthday! Sorry I'm a day late.

If you were Microsoft, and someone had discovered your evil plan to backdoor IIS, and you were confronted by reporters, would you:

A) Say "Yes, we had an evil plan to backdoor IIS, you got us! Nice catch!", or

B) Say "It was all the action of a rogue programmer who has been dealt with appropriately and it will never happen again. We find this sort of thing unacceptable and it is completely against Microsoft policy."

Get your head out of the sand, please.

Re:code review (5)

imipak (254310) | more than 12 years ago | (#223479)

code horror stories... I once reviewed code written by a co-worker who left a couple of months before. Got to the credit card validation routines:


# FIXME: can't test on dev server, assume works for now
return 1; # cc validation goes here...

The site was less than a week from going live when we found that.
--

Re:Hey, Check This Out You SlashBorg Fuckwits! (1)

mahmud (254877) | more than 12 years ago | (#223480)

I will rephrase Arthur C. Clarke on space-elevators:
OpenSource will really kick off when everybody will stop laughing.

P.S FYI, being a ludite is not "IN":P

M$ Easter Eggs (3)

kbeast (255013) | more than 12 years ago | (#223481)

Thats wierd, I saw this listed as an easter egg that when you enter the correct password, it displays a jpg of Bill Gates with his fist up my ass.

.kb

Re:What I find alarming... (4)

baptiste (256004) | more than 12 years ago | (#223484)

Now I can bash Micro$oft with the best of them, but in their defense...

The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc. This is not isolated to Microsoft. That's why OSS is so nice - anyone can look for and find backdoors to fix them.

When you are talking about tens of millions of lines of code, its impossible to find stuff like this unless you spend a LOT of time looking for it. IN my previous life I worked for a company whose flagship software was about 25 million lines of code. I'll never forget when they decided to give the source to select customers who signed NDA's. They spent MONTHS looking for backdoors and inappropriate comments like:

// If we get here we are REALLY f**ked

It was amazing how much stuff they found (mostly in the comment catagory) and how long it took to find it all in a code base that large.

--

Slashdot... (3)

Scoria (264473) | more than 12 years ago | (#223491)

... Why is the Netscape Engineers are Weenies vulnerability/backdoor so perfect?

I didn't even have to read past the Yahoo article to realize what it was. The dynamic link library mentioned plus FrontPage 98 clicked in even my head.

Since the editors of Slashdot love bashing MS, can't they at least learn of NT's vulnerabilities before posting them? Anyone who knew something about NT would have spotted that was old before reposting it.

No offense to Slashdot and I'm not a troll. I just can't believe this.

Not really a security hole. (1)

AnotherBlackHat (265897) | more than 12 years ago | (#223492)

It's not really a security hole unless you can use it to perform a denial of service attack against the company that sells the broken software.

So? (1)

J3zmund (301962) | more than 12 years ago | (#223495)

The fact that there's a backdoor in MS products does not shock me. The fact the MS ADMITTED there is a back door IS a bit surprising.

Is any really surprised by this backdoor at all?

If so, please explain...

the password is... (1)

DragonPup (302885) | more than 12 years ago | (#223496)

"Bend over and say hello to Uncle Billy!"

-Henry
"Getting your large intestines removed doesn't hurt at all. Until you wake up" -Me

"IIS sucks" is news? (1)

tuxlove (316502) | more than 12 years ago | (#223506)

I think it's well established that IIS is a hunk of Internet Swiss cheese. This story just reinforces that yet again. Yada Yada.

Anyone using IIS for actual important stuff and making it publically accessible is either extremely ignorant or very stupid. You can't secure IIS, so if you use it you are simply acknowledging to the world that you don't care about the sanctity of your host system.

Again? (1)

Ultra64 (318705) | more than 12 years ago | (#223508)

Didn't this happen once before?
I seem to remember reading an article where it was discovered that MS had left a password "Netscape engineers are weenies" or something to that effect.
Someone correct me if I'm wrong...

Re:code review (2)

dhamsaic (410174) | more than 12 years ago | (#223514)

if you read the article, it states that microsoft has stated publically that the code was not there as "an implementation of corporate policy", but rather, produced by some engineers on their own during the netscape vs. microsoft times. i don't like microsoft either, but it's not as if this was some massive conspiracy by microsoft to h4x0r some web sites or steal credit card numbers. they already control enough of the web server market and have $27 billion in the bank. this was something a coder did, not the company.

Re:Cisco (1)

Einziger (410556) | more than 12 years ago | (#223515)

LOL - dude you have such good spin on things you might consider politics. So let me get this straight, by microsloth codding a backdoor in, they are really providing a service? Yup they sure are providing a service, the service of gaining unauthorized access. LOL

Scary Stuff (1)

dev!null!4d (414252) | more than 12 years ago | (#223519)

So it appears that little old Microsoft may be able to get in and out of servers as they wish? Can this be legal?

I'm a little supprised someone with a decompiler hasn't found this whole already?

Quiz (1)

mightyflash (444716) | more than 12 years ago | (#223523)

What does the filename "dvwssr.dll" stand for? (acronym)

"The company is also asking customers to delete the computer file called "dvwssr.dll", which contains the offending code. It is installed on Microsoft's Internet-server software with FrontPage 98 extensions."

Really now... (1)

qon (445909) | more than 12 years ago | (#223524)

Anyone who's surprised by this revelation (if it's confirmed) really should lay off the happy pipe. It's of a piece with their time-honored strategy.

Have they forgotten the point is to make a product that benefits their customers? How do 'features' like this benefit anyone other than Microsoft? As time goes by, I just keep finding more and more good reasons to avoid Microsoft and all their products.

Q

Nothing to be done (1)

chemical55 (446280) | more than 12 years ago | (#223525)

This is seemingly too ridiculous to be true, and yet nothing is going to be done to MS about it. Imagine if Ford installed hidden cameras in their cars or Nike placed tracking devices in their shoes? The outcry would be tremendous. It is as if people don't fully understand the problem, it can safety be ignored. Arggg..whats the use?

Re:Too Late for Some (1)

H1r0Pr0tag0n1st (449433) | more than 12 years ago | (#223526)

Yes, Daniel should have been running Apache on Linux Or maybe Daniel should have installed the hot fix released over a year ago. Course I really don't see what his experence has to do with a back door in IIS as you are refering to a completely separate (and automated) exploit.

I wondered... (1)

boiscout (450132) | more than 12 years ago | (#223527)

I always wondered how the "Made With Mac" images on all my pages got switched to "Powered With Win NT" images shortly after I moved from a Linux Box to an NT box.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...