Article Reprint

The article below was reprinted by permission of the copyright holder. The original article appeared only briefly on the Web and is no longer viewable.

Security Holes Found in Microsoft Products;
Netscape Also Reports Security Bug

Security Experts Say Proprietary Code Isn't Scrutinized Well Enough

April 19, 2000
Washington, DC, USA
© 2000 DSO, Inc., all rights reserved

WASHINGTON, D.C. - A report by the Wall Street Journal Friday on a security flaw in Microsoft's Web server software that, under the right conditions could compromise Web sites, has fueled long-standing concerns about the security of Microsoft products in general, and has raised the decibel level of the debate over the need for closer scrutiny of proprietary coding for potentially damaging security flaws before a product is released.

Meanwhile, but apparently drowned out by all the mainstream reporting on the new Microsoft flaw -- which Microsoft now says is not as serious as it initially conceded -- was the report last Thursday by InternetNews.com about how the developer of the highly-rated e-commerce Dansie Shopping Cart stands accused of building a backdoor into the program that could give him or hackers complete control of the server on which it is installed. The Dansie Shopping Cart, named after its developer, Craig Dansie, is in use at more than 200 e-commerce sites and is recommended by many Web hosting providers.

According to Joe Harris, a technical support representative at Blarg Online Services in Seattle, a subroutine was programmed into the cart which enables Danise to use a nine-character form element or password to remotely execute commands on servers using the broad security privileges usually assigned to CGI scripts. "It takes little imagination to dream up the potential havoc and privacy violations this level of access could result in -- from stealing private customer records to a full-blown crack of an e-commerce server," Harris was quoted as saying.

Information security experts here told SOURCES these problems underscore the lax scrutiny within the software development industry to looking for problematic coding.

"The recent incident of "backdoors" in Microsoft software is indicative of a fundamental problem that electronic commerce will need to address very soon," Jerry Harold, president & co-founder of NetSec, told SOURCES in an interview. "Commercial software generally is built for functionality and is based on proprietary code that is developed and tested behind closed doors. Even if Microsoft has stringent internal requirements for software assurance, it's very difficult to catch a backdoor that may be hidden by a single coder deep inside hundreds of thousands of lines of code," said Harold, who previously was a computer security engineer for the U.S. National Security Agency (NSA).

"In this environment, independent analysis for security weaknesses is essential, but nearly impossible to perform on proprietary source. Effective security must be built into a product from the ground up, throughout design, development, and independent testing. [And] I'm not just referring to the security features of a product, such as passwords and encrypted data transmission."

Harold said "a secure product or device must start with a secure operating system as the foundation for the entire product. If the underlying operating system is insecure, then you've got problems that can be expensive or impossible to eliminate." Harold emphasized that "if a company's success depends on trusted and secure transactions, they should think long and hard about their choice of software."

For its part, Microsoft has been plagued by a series of discoveries in recent years of so-called "backdoors" that could be exploited by hackers. In the Journal report Friday, unidentified Microsoft programmers secretly inserted a "trojan horse"-like password into the company's Internet server software that reputedly allows illicit back door entry to potentially hundreds of thousands of Web sites. As initially reported, the breach could give hackers access to users' credit card numbers and login and password information.

Russ Cooper, who operates the NTBugtraq discussion forum, was quoted by the Journal as saying the backdoor password threatens "almost every Web-hosting provider ... It's a serious flaw. Chances are, you're going to find some major sites that still have it enabled." The file, called "dvwssr.dll" is installed on Microsoft's Internet-server software with Frontpage 98 extensions, and can be used to gain access to key Web site management files.

The code in three-year-old software was discovered by a Europe-based employee of the ClientLogic Corp. in Nashville, Tenn., and a professional security consultant known as Rain Forest Puppy, who reportedly said he was made aware of the code by a ClientLogic employee. Microsoft reportedly acknowledged the existence of the back door code and urged customers to delete the "dvwssr.dll" file. Steve Lipner, the manager of Microsoft's security-response center, was quoted by the Journal initially as saying the backdoor password was "absolutely against our policy" and indicated that the engineer(s) responsible would be fired.

It is unclear how long Microsoft has been aware of the security flaw. The code was apparently inserted in 1997, at about the time Netscape Communications Corp. and Microsoft were locked in battle over their respective versions of Internet-browsers. Accompanying the code is the buried comment, "!seineew era sreenigne epacsteN," the backwards spelling of, "Netscape engineers are weenies!" New analysis of the security hole, however, refutes the Journal's initial report that a Microsoft employee deliberately put a back door in a module installed by Microsoft's Web server software.

Cooper said the flaw is just a bug, not a surreptitious back-door. "This is a hole that could allow information to be manipulated by others," Cooper wrote on the NTBugTraq Web site. "However, it's limited to 'others' who already have Web authoring permissions on the same box." According to Microsoft, the phrase is not a password but instead a cypher key that is used to scramble the address of Web pages that users request. The "Netscape weenies" file does not allow the security breach; instead, the "weenies" phrase is a way to access the security hole, a spokesman said, adding a hacker using the phrase would also author privileges in order to gain read-only access to Active Server Pages files.

In Feb., a report by France's Strategic Affairs Delegation (DAS), the intelligence arm of the French Defense Ministry, was made public in which it accused agents of the NSA of working with Microsoft to develop software to allow the spy agency to eavesdrop on communications around the world. Written by a senior officer at the DAS, the report claims agents of the NSA worked to install secret programs on Microsoft software. Microsoft considers such allegations "ludicrous," and has denied previous similar assertions.

Microsoft came under fire for a peculiar eavesdropping feature of its Internet Explorer several years ago which certainly left observers wondering whether Explorer was surreptitiously embedded with a program deliberately intended to allow Internet users' hard drives to be spied on. Several intelligence community sources told SOURCES at the time that their respective organizations knew in advance of public disclosure of the feature that it was capable of being used to read the contents of a computer connected to the Internet at the ISP level. The controversy erupted when Microsoft sent the beta version of Windows '95 to be tested at MIT, the University of Melbourne, and other universities. During the testing it was discovered that there was a subroutine that, when you connected to the Microsoft Network, caused a "registration" program to automatically kick in that read the names of programs on the subscriber's hard drive.

If the computer had a modem connected to a phone line, the computer automatically dialed MSN and uploaded the information without the user's permission, and often without the user knowing what was happening. Consequently, a U.S. Air Force directive instructed its units not to register Win 95 on-line because Microsoft's scanner program will submit back to Microsoft whatever is on the user's hard drive. When questioned about the subroutine, which was an "undocumented feature," of the program, Microsoft said it only read the names of programs and the information was being used for marketing purposes. But testers at the University of Melbourne reportedly found that they could use the program to read the names of all files on the disk. MIT was also able to do this, and a tester there said that if one can read the names of files, one can retrieve them. Another unresolved issue was whether Microsoft could invoke that program at a later date and, once again, have access to the user's hard drive information. Faced with an international outcry, Microsoft said it would give notice that the program was there and to modify it to only search for a limited number of specific programs; 100 in all. Microsoft also changed the program to where it notified the owner that the program was there and gave them the choice of using on-line registration or not, with the default being that the user had to actively choose to use this feature.

"This is why NetSec builds its products on an operating system (OpenBSD) that has made security its number one goal," Harold told SOURCES. "The source for the operating system was re-built from the ground up for security and is publicly available. As a result, it is continuously subjected to rigorous security review by independent software engineers around the world. This has additional benefits because secure code often tends to be well designed, stable, and efficient."

Hammering his message home is today's report -- less than a week after the revelation that it's Web server software has a security flaw, that Microsoft is looking into another newly discovered security hole in its Communicator Web browser that could expose people's private files to malicious Web site operators.

Meanwhile, Netscape also is testing patches for a newly discovered security hole in its Web browser which also could allow a hostile Web site glean private information on visitors. Netscape concedes that the flaw isn't isolated to any one aspect of the popular browser, but rather with a combination of technologies.

SOURCES is a security intelligence news service dedicated to delivering intelligence that can save or destroy lives, businesses, and government operations worldwide.

OpenBSD www@openbsd.org
$OpenBSD: article_20000419.html,v 1.2 2000/05/17 15:17:56 louis Exp $