Re: Has anyone verified whether is is valid?

[talis () MILLCOMM COM (Ryan Permeh)]

from the reports, some of this is true, and some is false.  If the core SDI
people can find a way to overflow the buffer, it will be as bad as this
article puts it.  I've tested on some FP servers we use, and so far it only
does what RFP said it would, you can get the actual code for asp scripts.
So far, it doesn't look like you can directly change anything or affect/read
files that are in passworded directories, etc.

It's not a good idea to beleive anything about security when read in the
mass media.  by the time it gets there it is ususally sensationalized to the
point where it's more about hype and marketting than anything else.

Now, this is not to poopoo the find, if you have secrets stored in your
asps, and they rely on them not being able to be read, by all means, you
should be changing your drawers now:)

Again, this seems only to affect IIS/Nt option pack 4 with Frontpage98
extensions loaded(quite a few servers run this configuration)

a temporary fix is to disable front page extensions for the time being(it's
better than being cracked wide open).  I'm sure there are a lot of sites
that have possible problems with this, and they may choose to take this
short fix until MS throws them a bone( i anticipate it will be shortly).

Ryan

PS: again, with the exception of the CoreSDI find(which actually has little
to do with this whole fiasco, they just noticed the overflow due to the
increased awareness of this dll, i'm certain there are overflows in most MS
dll's) the fact that the phrase "NetscapeEngineersAreWeenies!" is in there
is of no import.  it may be a buit funny(i don't know any netscape engineers
to verify this or not).  The phrase could just as easilyt have been
"BillGatesWearsBlueSocks!", as long as the server dll and client dll agree
on it.(I suppose you could hex edit the dll to make this change, that may be
a simple fix as well, just don't forget to do it on the clients as well)

----- Original Message -----
From: "M J" <lurker () ITIS COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, April 14, 2000 9:55 AM
Subject: Has anyone verified whether is is valid?

> Friday's top stories
> Microsoft admits security flaw
> By CBS MarketWatch
> Last Update: 9:07 AM ET Apr 14, 2000
> NEW YORK (CBS.MW) -- Microsoft (MSFT </data/squote.htx?
> TICKER=MSFT&TABLES=table&SOURCE=htx/http2_mw&dist=newsq>:
> news <http://www.marketwatch.newsalert.com/bin/headlines?
> Query=MSFT&SearchOption=ticker>, msgs
> <http://messages.marketwatch.com/mwclub/tickerLink.asp?
> ticker=MSFT&dist=newsm>) acknowledged Thursday that its
> engineers included in some of its Internet software a
> secret password -- a phrase deriding their rivals at
> Netscape as "weenies" -- that could be used to gain illicit
> access to hundreds of thousands of Internet sites world-
> wide. The manager of Microsoft's security-response center,
> Steve Lipner, acknowledged the online-security risk in an
> interview Thursday and described such a backdoor password
> as "absolutely against our policy" and a firing offense for
> the as yet unidentified employees. The company planned to
> warn customers as soon as possible with an e-mail bulletin
> and an advisory published on its corporate Web site.
> Microsoft urged customers to delete the computer file-
> called "dvwssr.dll"-containing the offending code. The file
> is installed on the company's Internet-server software with
> Frontpage 98 extensions. While there are no reports that
> the alleged security flaw has been exploited, the affected
> software is believed to be used by many Web sites. By using
> the so-called back door, a hacker may be able to gain
> access to key Web-site management files, which could in
> turn provide a road map to such things as customer credit-
> card numbers, said security experts who discovered the
> password.
>
>
> -Matthew