Microsoft security hole puts Web sites at risk

As reported on Friday, Microsoft acknowledged that rogue software code containing the phrase "Netscape engineers are weenies!" was included in its Windows NT operating system and could open up Web sites to unauthorized access. The nearly five-year-old code also can be used to crash Web sites running FrontPage 98 server extensions, Microsoft has acknowledged.

Now, in a second security notice posted late Friday, Microsoft warned: "Shortly after publishing the bulletin, we learned of a new, separate vulnerability that significantly increases the threat to users of these products."

The new vulnerability potentially exposes hundreds of thousands of Web sites to denial-of-service attacks, whereby hackers could overrun the code with data and crash the sites. Because Microsoft distributes FrontPage 98 for free with the Windows NT 4 server, it is widely used by companies offering Web hosting services.

"We are treating this as a very serious problem, even though it is different than what we first thought," said Steve Lipner, manager of Microsoft's Security Response Center.

What remains unclear is the extent to which hackers could use the code to bypass Web site security and gain access to files, potentially compromising confidential data such as passwords or credit card information.

Lipner said the code does expose data and files to potential security breaches, "but only to someone who would otherwise have permission to see it." He described the security breach as a "hole in the wall," and nothing more.

Not all security experts accept Lipner's explanation, arguing the ability to breach security is more serious, particularly on shared Web servers. Many Web hosting companies offer what are called "virtual Web sites" on their servers. Rather than managing their own individual Web servers, many small businesses and corporations use these shared hosting facilities where the Web sites for many domains are on one server. Typically, shared hosting costs much less than "dedicated" hosting--one site on one server--and appeals to some start-ups and small businesses looking to save money.

According to a security alert on SecurityFocus.com, the rogue software code, dvwssr.dll, can be used by "anyone with Web authoring privileges on the target host to download" files from the Web server. "This includes users with Web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's Web site if hosted on the same physical machine."

Elias Levy, chief technology officer of SecurityFocus.com and moderator of the BugTraq Internet forum, faulted Redmond, Wash.-based Microsoft for not catching a long-standing problem affecting so many Web sites.

"Microsoft clearly has to put independent security auditing in place," he said. No company should distribute software--particularly that is used on the Web--without having a second team of developers check the code, he said.

"For the past several years it's been apparent that Microsoft's security development and testing process has been way behind its ability to put out products," said John Pescatore, a security analyst with Gartner Group.

While Microsoft further explores the extent of the security problem posed by the code, it is offering an easy fix: Delete dvswwr.dll. But its larger remedy might not appeal to companies offering Web hosting services. Lipner recommended Web hosting companies put one Web site on one server.