(Subscription required)
http://interactive.wsj.com/articles/SB955657934787818042.htm
April 14, 2000
Microsoft Acknowledges Its Engineers
Placed Security Flaw in Some Software
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL
Microsoft Corp. acknowledged Thursday that its engineers
included in some of its Internet software a secret
password -- a phrase deriding their rivals at Netscape
as "weenies" -- that could be used to gain illicit
access to hundreds of thousands of Internet sites
world-wide.
The manager of Microsoft's security-response center,
Steve Lipner, acknowledged the online-security risk in
an interview Thursday and described such a backdoor
password as "absolutely against our policy" and a firing
offense for the as yet unidentified employees.
The company planned to warn customers as soon as
possible with an e-mail bulletin and an advisory
published on its corporate Web site. Microsoft urged
customers to delete the computer file-called
"dvwssr.dll"-containing the offending code. The file is
installed on the company's Internet-server software with
Frontpage 98 extensions.
While there are no reports that the alleged security
flaw has been exploited, the affected software is
believed to be used by many Web sites. By using the
so-called back door, a hacker may be able to gain access
to key Web-site management files, which could in turn
provide a road map to such things as customer
credit-card numbers, said security experts who
discovered the password.
Two security experts discovered the rogue computer code
-- part of which was the denigrating comment "Netscape
engineers are weenies!" -- buried within the
three-year-old piece of software. It was apparently
written by a Microsoft employee near the peak of the
hard-fought wars between Netscape Communications Corp.
and Microsoft over their versions of Internet-browser
software. Netscape later was acquired by America Online
One of the experts who helped identify the file is a
professional security consultant known widely among the
Internet underground as "Rain Forest Puppy." Despite his
unusual moniker, he is highly regarded by experts and
helped publicize a serious flaw in Microsoft's
Internet-server software last summer that put hundreds
of high-profile Web sites at risk of intrusion.
Russ Cooper, who runs the popular NT Bugtraq discussion
forum on the Internet, estimated that the problem
threatened "almost every Web-hosting provider."
Starting a Business
"It's a serious flaw," Mr. Cooper said. "Chances are,
you're going to find some major sites that still have it
enabled." Mr. Lipner of Microsoft said the company will
warn the nation's largest Web-site providers directly.
In an e-mail to Microsoft earlier Thursday, Rain Forest
Puppy complained that the affected code threatened to
"improve a hacker's experience." Experts said the risk
was greatest at commercial Internet-hosting providers,
which maintain hundreds or thousands of separate Web
sites for different organizations.
Mr. Lipner said the problem doesn't affect Internet
servers running Windows 2000, or the latest version of
its server extensions included in Frontpage 2000.
The digital gaffe initially was discovered by a
Europe-based employee of ClientLogic Corp.
(www.clientlogic.com) of Nashville, Tenn., which sells
e-commerce technology. The company declined to comment
because of its coming stock sale. The other expert, Rain
Forest Puppy, said he was tipped off to the code by a
ClientLogic employee.
When asked about the hidden insult Thursday, Jon
Mittelhauser, one of Netscape's original engineers,
called it "classic engineer rivalry."
Write to Ted Bridis at [EMAIL PROTECTED]
Copyright © 2000 Dow Jones & Company, Inc. All Rights
Reserved.
Copyright and reprint information.
