Microsoft Admits to Security Flaw in Web Software
Microsoft Corp. acknowledged Friday that a security flaw in an obscure piece of its Internet software could expose some sensitive information such as credit cards and passwords to some users.
But such data could be accessed only under a set of unusual circumstances that would depend on the Web site operator’s disregarding standard security procedures, said Scott Culp, a manager for Microsoft’s security response team.
The company found that a 5-year-old piece of code in FrontPage 98--a software tool used to create pages to publish on the World Wide Web--inadvertently gave FrontPage users access to multiple Web site pages housed on the same server computer.
The rogue computer code was discovered by two security experts, Microsoft officials said.
But access to sensitive information could occur only under specific conditions.
For example, only people who are hosting an Internet server running multiple Web sites could access and distribute sensitive data. But the flaw was not a deliberate attempt by company programmers to breach security through a “backdoor,” Culp said.
People simply accessing the Web through the Internet could not easily gain access to any other data on the server, he said.
The file involved, called “dvwssr.dll,” is installed on Microsoft’s Internet server software version 4.0 and is also found in FrontPage server extensions 98, Culp said. Deleting that file solves the problem, he said.
“This is another in a string of bad public relations for Microsoft,” said Mark Snowden, a senior analyst for GartnerGroup. “I don’t believe this was done with malicious intent, but it does raise the question of whether software development is getting so diffuse and complicated that you can’t control these security breaches. It’s an example of how vulnerable Internet commerce can be.”
Culp said Microsoft programmers substituted the names of certain sub-files with the phrase “Netscape engineers are weenies!”--a jab at Microsoft’s rival for Internet browser software.
Catherine Corre, a spokeswoman for Netscape Communications Corp., called the inclusion of the phrase “classic Microsoft arrogance,” and said that her company’s engineers “certainly are not weenies.”
So far, no Web site has reported security breaches by people using the compromised code, Culp said, but many sites use the affected software. Microsoft is issuing a security bulletin to its customers warning of the security vulnerability and explaining how to delete the affected file, Culp said.
The “weenie” comment is not a password or a “backdoor” way to access anything on the file, he said. It has nothing to do the with software vulnerability.
“It was in the program but it was inappropriate to have it there,” Culp said, adding that a person who inserts unauthorized code into a Microsoft product runs the risk of being fired.
Microsoft shares fell 6.4% to close at $74.13 Friday, in one of the biggest declines of the Nasdaq market.
*
Associated Press was used in compiling this report.
