Spacer Sidebar Directory Map

The Training Book, the handbook for trainers

Training Express computer learning guides

 

ITrain - International Association of Information Technology Trainers

Microsoft Embeds Security Hole

FrontPage & NT systems and their users at risk

ITINFO Sponsor

Lightware Training Projectors

Did you know that the human brain processes visuals 400,000 times faster than text?

Colorful, visual presentations give your training a competitive edge.

Use Lightware's ultra-portable projectors for high-impact presentations that make you look great!.

Lightware

Internet Poll
Have you attended a seminar via e-learning?
yes
no

poll archive

Security Breach Bites Microsoft FrontPage & Windows NT

by Dave Murphy
ISSN 1535-3613

Dave Murphy, DGL President & ITrain founder The security breach in FrontPage 98 and its server extensions that was first reported four days ago also exists in Windows NT4 Option Pack. Similar, suspicious code was found in Visual Studio 6.0; however, it's not clear whether the code in this third product will also pose a security threat.

The bug can be exploited to release sensitive website information such as credit card account numbers. It grants access to management files and possibly specific user information and passwords. With this information, a cracker has full access to a site. Sites are at risk from a number of sources, including a rogue Perl script that exploits this security hole.

The affected code immediately affects two audiences:

  1. site designers who are required to maintain the C2 security standard; this security breach renders sites non-compliant with the government's C2 standard.

  2. all websites hosted by a multi-site hosting service that allows FrontPage extensions.

This second audience, includes any website using FrontPage extensions that's hosted on a server with another FrontPage website or sites.

I'm concerned that this security hole seems to have been intentionally added by Microsoft's developers, and Microsoft has acknowledged that this represents a major security threat. As of this morning, neither a full reporting nor a solution has been posted to Microsoft's security bulletin page.

The breach is, in part, related to the file "dvwssr.dll" which was included with FrontPage 98. All site designers should delete this file from their systems and sites. The file was initially included to support Visual Interdev 1.0. The file is also installed with the Windows NT4 Option Pack. Even if you're a Visual Interdev user, you may safely delete the dvwssr.dll file if you're using a version of Visual Interdev later than 1.0.

Call for Comments

What do you think? Leave your comments on the message center.

References

Microsoft Security Bulletins
Message Center

Subscribe to ITINFO.
Receive computing and Internet news & tips
by subscribing to the ITINFO information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at http://dgl.com/itinfo/.

updated April 16, 2000
http://dgl.com/itinfo/2000/it000416.html

Return to DGL homepage
Copyright © 2000, Damar Group, Ltd., All Rights Reserved