InternetNews.com: Backdoor Code Found in Microsoft Software

By Clint Boulton, InternetNews.com

Unidentified Microsoft
engineers have created a backdoor password in some of the
company’s Net software that may be used to gain illegal access to
sites all over the world.

Two security experts reportedly found the secret code, which
poked fun at rival Netscape’s engineers, referring to them as
“weenies,” the Wall Street Journal reported Thursday.

Steve Lipner, manager of Microsoft’s security-response center,
said such a backdoor password as “absolutely against our policy”
and a firing offense for the as yet unidentified employees.

The company said it would give clients, many of whom include
giant Net hosting providers, a heads up with an e-mail bulletin and
an advisory published on its corporate Web site. Microsoft (MSFT)
urged customers to delete the file called “dvwssr.dll,” which
houses the offending code. The file is installed on the firms
Net-server software with Frontpage 98 extensions.

Although no reports have surfaced claiming the alleged security
flaw has been exploited, the affected software is believed to be
used by many Web sites. Should hackers take advantage of the
backdoor, they could gain access to key Web site management files,
which could yield customer credit card numbers, said security
experts who discovered the password.

It is believed that the code was written by a Microsoft engineer
during its browser wars with Netscape Communications.

The bug was discovered by Alf Serer from ClientLogic.com. He tipped off a
fellow expert, known only as “Rain Forest Puppy,” who confirmed the
backdoor after testing. RFP said the degrading “Netscape engineers
are weenies!” line was used repeatedly as a constant key.

“I was told by MS that only individuals with Web authoring
permission can use it, which is more than I had originally thought.
But it’s not as widespread as, say, RDS,” RFP said.

“Regardless of it’s actual purpose, or Microsoft’s intent, I
think the core interesting issue is that Microsoft literally coded
(or allowed) a .dll who used a static key such as “Netscape
engineers are weenies!”

The code, and additional comments by RFP, may be seen here.