Want CNET to notify you of price drops and the latest stories?

Windows "back door" raises flags

While Microsoft downplays its significance, a Windows back door is generating anxiety among consumers and fixes from security firms.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
While Microsoft downplays its significance, a Windows back door is generating anxiety among consumers and fixes from numerous security firms.

The program, dubbed "Back Orifice" (it is unrelated to Microsoft's BackOffice server-side application suite), lets the sender remotely control and monitor a computer running Windows 95 or 98. Once installed, the program does not show up in the user's task manager, giving it the potential to run undetected.

Microsoft has issued a security advisory on the problem, in which the company claims that Windows users who follow "safe computing practices" are not at risk.

"'Back Orifice' does not expose or exploit any security issue in Windows," the advisory claims.

But that is exactly what the program was created to do, according to security experts.

Introduced at the Def Con hacker convention earlier this month, Back Orifice is the product of a hacker group called the Cult of the Dead Cow.

"The crux of the issue is that they are trying to pressure Microsoft into making Windows 95 and 98 a secure operating system," said NTBugtraq editor Russ Cooper. "The objective is to prove that it is possible to do these kinds of things."

The hacker group may have made its point, but according to Cooper it isn't an earth-shattering revelation.

"Windows [95 or 98] has no security," Cooper said. "It's not meant to be a secure operating system. I disagree with the assertion that these types of things should not be possible. Windows 9x is an excellent OS for the consumer. Nobody has ever said it was secure."

Microsoft's Karan Khanna, product manager for the Windows NT security team, conceded that security was not Windows 95's or 98's strong suit.

"Essentially, Windows 95 and 98 were designed to provide security features tailored to the consumer marketplace," Khanna said. "But at the design point, they were not designed to be resistant to all forms and intensities of attack."

Back Orifice does not affect the more security-minded Windows NT operating system, though Cult of the Dead Cow has promised to release an NT version.

The debate over how serious a threat Back Orifice poses hinges partially on the question of how easy it is to install on the computers of unwitting users. In its advisory, Microsoft claims that the program "relies on the user to install it."

In a rebuttal to the advisory, the hacker group counters that "Back Orifice does not rely on the user for its installation. To install it, it simply needs to be run. Thanks to some actual exploits, there are several ways a program could be run on a Windows computer, not only without the user's approval, but without the user's knowledge."

Khanna stressed that in terms of installation, Back Orifice was no different than any other piece of software on the Internet.

"The bottom line is that the piece of software has to run on the user's computer--I couldn't run it on my computer and attack yours," Khanna said. "The question is how you get it to run on that computer. Either the user agrees to download it, and we tell you irrespective of Back Orifice that you should not download and run unsigned software. Or the user has to be tricked in some way to get it on the user's machine."

In reference to the hacker group's claims of "actual exploits" that could install the software without the user's knowledge, Khanna said he did not know to what exploits the group was referring.

Email programs including Microsoft's Outlook messaging client recently have taken heat from security researchers who discovered a flaw that could let malicious programmers execute code through email attachments without users' having opened them. Microsoft has issued a security alert on the problem, as well as a patch, which Khanna urged users to download.

Meanwhile, Internet security companies have been posting alerts and fixes to the problem. These include Network Associates, Data Fellows, Trend Micro, and Privacy Software.