More lawsuits???
Microsoft security hole puts Web sites at risk
By Joe Wilcox
Staff Writer, CNET News.com
April 17, 2000, 11:25 a.m. PT
Microsoft is battling a second security problem in Web management software used on
hundreds of thousands of Web sites around the world.
As reported on Friday, Microsoft acknowledged that rogue software code containing the phrase
"Netscape engineers are weenies!" was included in its Windows NT operating system and
could open up Web sites to unauthorized access. The nearly five-year-old code also can be
used to crash Web sites running FrontPage 98 server extensions, Microsoft has
acknowledged.
Now, in a second security notice posted late Friday, Microsoft
warned: "Shortly after publishing the bulletin, we learned of a new,
separate vulnerability that significantly increases the threat to users
of these products."
The new vulnerability potentially exposes hundreds of thousands of
Web sites to denial-of-service attacks, whereby hackers could
overrun the code with data and crash the sites. Because Microsoft
distributes FrontPage 98 for free with the Windows NT 4 server, it is
widely used by companies offering Web hosting services.
"We are treating this as a very serious problem, even though it is
different than what we first thought," said Steve Lipner, manager of
Microsoft's Security Response Center.
What remains unclear is the extent to which hackers could use the
code to bypass Web site security and gain access to files, potentially compromising
confidential data such as passwords or credit card information.
Lipner said the code does expose data and files to potential security breaches, "but only to
someone who would otherwise have permission to see it." He described the security breach as
a "hole in the wall," and nothing more.
Not all security experts accept Lipner's explanation, arguing the ability to breach security is
more serious, particularly on shared Web servers. Many Web hosting
companies offer what are called "virtual Web sites" on their servers. Rather
than managing their own individual Web servers, many small businesses
and corporations use these shared hosting facilities where the Web sites for
many domains are on one server. Typically, shared hosting costs much
less than "dedicated" hosting--one site on one server--and appeals to some start-ups and small
businesses looking to save money.
According to a security alert on SecurityFocus.com, the rogue software code, dvwssr.dll, can
be used by "anyone with Web authoring privileges on the target host to download" files from the
Web server. "This includes users with Web authoring rights to only one of several virtual hosts
on a system, allowing one company to potentially gain access to the source of another
company's Web site if hosted on the same physical machine."
Elias Levy, chief technology officer of SecurityFocus.com and moderator of the BugTraq
Internet forum, faulted Redmond, Wash.-based Microsoft for not catching a long-standing
problem affecting so many Web sites.
"Microsoft clearly has to put independent security auditing in place," he said. No company
should distribute software--particularly that is used on the Web--without having a second team
of developers check the code, he said.
"For the past several years it's been apparent that Microsoft's security development and testing
process has been way behind its ability to put out products," said John Pescatore, a security
analyst with Gartner Group.
While Microsoft further explores the extent of the security problem posed by the code, it is
offering an easy fix: Delete dvswwr.dll. But its larger remedy might not appeal to companies
offering Web hosting services. Lipner recommended Web hosting companies put one Web site
on one server. |
