Minor Web security threat surfaces

Microsoft Corp. has acknowledged a minor threat posed by a "backdoor" password

in server software that could be exploited to gain access to World Wide

Web pages.

Engineers had written a backdoor into some of the company's Internet software

containing a password phrase that calls rival Netscape Communication Corp.

"weenies."

The threat, uncovered by two security experts, is not as serious as it seemed

when it first was identified last week. Initially, it had seemed that the

backdoor could be used by hackers to access Web site management files, but

it turns out that there are many caveats.

It was thought that any Web site using Microsoft FrontPage 98 extensions

was vulnerable, but instead, the backdoor is a problem for Web sites that

installed anything from the 4.0 option kit for the Microsoft NT 4.0 server

software. The backdoor isn't an issue for sites that use Windows 98 or Windows

2000, nor is it an issue for sites that installed software straight from

the Windows NT 4.0 CD-ROM.

Moreover, it affects only those sites that use Microsoft's Visual InterDev

1.0. That application, which is now in Release 7.0, is used to link information

from Web sites that use Microsoft's Active Server Pages.

Also, the backdoor can be exploited only by users who have Web-authoring

permission at a particular Web site. Such users could manipulate an ASP

(those containing the ".asp" extension), but because they need a valid user

name and password for Web-authoring access, their actions could be tracked.

Customers can eliminate the threat by deleting the computer file "dvwssr.dll"

from the affected software. That's the file that contains the backdoor "weenie"

code.

— Story copyright 2000 IDG News Service. All rights reserved.