"Weenie" bug resurrected on Yahoo

A three-paragraph account on the bug--originally reported April 14, 2000--appeared without a date or byline on Yahoo's site, stating: "Last Thursday, Microsoft admitted its engineers planted a secret password in its software that could be used to gain illegitimate access to hundreds of thousands of Internet sites worldwide."

Microsoft stressed that the report isn't new. "It's a year-old problem," said a Microsoft representative. "We are trying to get through to Yahoo to see what it's doing up there."

Several readers contacted CNET News.com Tuesday seeking further information about the Yahoo report, and technology news and discussion site Slashdot posted a story on the Yahoo alert before learning it was outdated.

While originally reported as a "back door"--a secret password that gives full access to another person's system--the "weenies" flaw is actually an inadvertent bug in a dynamic link library, or DLL, file known as "dvwssr.dll" that allows access to a Web site's active server pages.

However, to access the pages, would-be intruders need to use a key to encode Web page names. The key is "!seineew era sreenigne epacsteN"--or "Netscape engineers are weenies!" spelled backwards--a holdover from Microsoft's browser war with Netscape.

The file with the security flaw is provided by Microsoft to support its Visual Interdev 1.0 application, an older, rarely used program that helps Webmasters track broken links. Though few people use it, the file is part of the default installation for Web servers using Windows NT 4.0 and Microsoft's Internet Information Service 4.0 software as well as Microsoft's FrontPage 98 software and its Personal Web Server 4.0.

The article had been automatically posted to the Yahoo site from a news feed provided by affiliate Entrepreneur.com, said a Yahoo representative. Yahoo removed the article around 9 a.m. PDT Tuesday.