A newsletter devoted to bug reports has amended a warning from last week that announced "potentially catastrophic" security holes in Microsoft's Web servers.
Last week, BugNet reported that two Microsoft Web servers--the FrontPage Personal Web Server and Internet Information Server--contain holes that could make them insecure, including a breach that would make it possible for hackers to reformat server hard drives. BugNet said that Microsoft support personnel had given users erroneous advice on configuring the servers and that improperly configured servers would be vulnerable to hacker attacks.
Now, BugNet has corrected itself, saying that the Microsoft advice, which appeared in the company's public Usenet newsgroups, appears to be the work of impostors, not Microsoft personnel. BugNet traced the advice to messages posted by users with two apparently bogus email addresses: "email@example.com" and "firstname.lastname@example.org."
The messages advised Webmasters to do something they're unequivocally not supposed to do: put a Perl interpreter and scripts--software that is often used to connect Web servers to databases--in a Web server's "cgi-bin" directory. If discovered by a hacker, this configuration gaffe could allow the hacker to execute potentially damaging commands on the server by running a program available on the Net called Latro.
Last week, Microsoft officials said they didn't know the source of the bad advice and reiterated the risks of improperly configuring their Web servers. Prior to the BugNet report, the Computer Emergency Response Team issued a more general alert May 29 that did not mention any specific companies but warned against setting up Web servers with Perl programs in the wrong directories.
Today, Microsoft officials said they can't ascertain whether the perpetrators of the bad advice are impostors, leaving open the possibility that a misguided Microsoft employee could have posted the messages. "We don't know if it was someone internal," said Bob Crissman, director of FrontPage product marketing at Microsoft. "If it is someone internal, we have to straighten the situation out."