Vulnerability Development mailing list archives
Re: Has anyone verified whether is is valid?
From: talis () MILLCOMM COM (Ryan Permeh)
Date: Fri, 14 Apr 2000 20:42:33 -0500
from the reports, some of this is true, and some is false. If the core SDI people can find a way to overflow the buffer, it will be as bad as this article puts it. I've tested on some FP servers we use, and so far it only does what RFP said it would, you can get the actual code for asp scripts. So far, it doesn't look like you can directly change anything or affect/read files that are in passworded directories, etc. It's not a good idea to beleive anything about security when read in the mass media. by the time it gets there it is ususally sensationalized to the point where it's more about hype and marketting than anything else. Now, this is not to poopoo the find, if you have secrets stored in your asps, and they rely on them not being able to be read, by all means, you should be changing your drawers now:) Again, this seems only to affect IIS/Nt option pack 4 with Frontpage98 extensions loaded(quite a few servers run this configuration) a temporary fix is to disable front page extensions for the time being(it's better than being cracked wide open). I'm sure there are a lot of sites that have possible problems with this, and they may choose to take this short fix until MS throws them a bone( i anticipate it will be shortly). Ryan PS: again, with the exception of the CoreSDI find(which actually has little to do with this whole fiasco, they just noticed the overflow due to the increased awareness of this dll, i'm certain there are overflows in most MS dll's) the fact that the phrase "NetscapeEngineersAreWeenies!" is in there is of no import. it may be a buit funny(i don't know any netscape engineers to verify this or not). The phrase could just as easilyt have been "BillGatesWearsBlueSocks!", as long as the server dll and client dll agree on it.(I suppose you could hex edit the dll to make this change, that may be a simple fix as well, just don't forget to do it on the clients as well) ----- Original Message ----- From: "M J" <lurker () ITIS COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Friday, April 14, 2000 9:55 AM Subject: Has anyone verified whether is is valid?
Friday's top stories Microsoft admits security flaw By CBS MarketWatch Last Update: 9:07 AM ET Apr 14, 2000 NEW YORK (CBS.MW) -- Microsoft (MSFT </data/squote.htx? TICKER=MSFT&TABLES=table&SOURCE=htx/http2_mw&dist=newsq>: news <http://www.marketwatch.newsalert.com/bin/headlines? Query=MSFT&SearchOption=ticker>, msgs <http://messages.marketwatch.com/mwclub/tickerLink.asp? ticker=MSFT&dist=newsm>) acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world- wide. The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees. The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file- called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions. While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit- card numbers, said security experts who discovered the password. -Matthew
Current thread:
- Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Oulook password Hap2782 (Apr 15)
- Re: Oulook password Blue Boar (Apr 15)
- [Fwd: R: Oulook password] Blue Boar (Apr 15)