Unidentified Microsoft
Corp.
engineers have created a backdoor password in some of the
company’s Net software
that may be used to gain illegal access to sites all over
the world.
Two security experts reportedly found the secret code, which
poked fun at
rival Netscape’s engineers, referring to them as “weenies,”
the Wall
Street Journal reported Thursday.
Steve Lipner, manager of Microsoft’s security-response
center, said such a backdoor password as
“absolutely against our policy” and a firing offense for the
as yet
unidentified employees.
The company said it would give clients, many of whom include
giant Net
hosting providers, a heads up with an e-mail bulletin and an
advisory
published on its corporate Web site. Microsoft (MSFT)
urged customers to delete the file called “dvwssr.dll,”
which houses the
offending code. The file is installed on the firms
Net-server software with
Frontpage 98 extensions.
Although no reports have surfaced claiming the alleged
security flaw has
been exploited, the affected software is believed to be used
by many Web
sites. Should hackers take advantage of the backdoor, they
could gain access
to key Web site management files, which could yield customer
credit card
numbers, said security experts who discovered the password.
It is believed that the code was written by a Microsoft
engineer during its
browser wars with Netscape
Communications.
The bug was discovered by Alf Serer from ClientLogic.com. He tipped off a
fellow expert,
known only as “Rain Forest Puppy,” who confirmed the
backdoor after testing.
RFP said the degrading “Netscape engineers are weenies!”
line was used
repeatedly as a constant key.
“I was told by MS that only individuals with Web authoring
permission can
use it, which is more than I had originally thought. But
it’s not as widespread as, say, RDS,” RFP said.
“Regardless of it’s actual purpose, or Microsoft’s intent, I
think the core
interesting issue is that Microsoft literally coded (or
allowed) a .dll who
used a static key such as “Netscape engineers are weenies!”
The code, and additional comments by RFP, may be seen here.
An audio interview with RFP is available in MP3 format here.