InternetNews.com: Backdoor Code Found in Microsoft SoftwareApr 14, 2000, 21:01 (6 Talkback[s])
(Other stories by Clint Boulton)
By Clint Boulton, InternetNews.com
Unidentified Microsoft Corp. engineers have created a backdoor password in some of the company's Net software that may be used to gain illegal access to sites all over the world.
Two security experts reportedly found the secret code, which poked fun at rival Netscape's engineers, referring to them as "weenies," the Wall Street Journal reported Thursday.
Steve Lipner, manager of Microsoft's security-response center, said such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees.
The company said it would give clients, many of whom include giant Net hosting providers, a heads up with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft (MSFT) urged customers to delete the file called "dvwssr.dll," which houses the offending code. The file is installed on the firms Net-server software with Frontpage 98 extensions.
Although no reports have surfaced claiming the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. Should hackers take advantage of the backdoor, they could gain access to key Web site management files, which could yield customer credit card numbers, said security experts who discovered the password.
It is believed that the code was written by a Microsoft engineer during its browser wars with Netscape Communications.
The bug was discovered by Alf Serer from ClientLogic.com. He tipped off a fellow expert, known only as "Rain Forest Puppy," who confirmed the backdoor after testing. RFP said the degrading "Netscape engineers are weenies!" line was used repeatedly as a constant key.
"I was told by MS that only individuals with Web authoring permission can use it, which is more than I had originally thought. But it's not as widespread as, say, RDS," RFP said.
"Regardless of it's actual purpose, or Microsoft's intent, I think the core interesting issue is that Microsoft literally coded (or allowed) a .dll who used a static key such as "Netscape engineers are weenies!"
The code, and additional comments by RFP, may be seen here.