Fixing Security Backdoors: Red Hat 1, Microsoft 0

  • Written By: C. McNulty
  • Published: May 9 2000

Fixing Security Backdoors:
Red Hat 1, Microsoft 0

C. McNulty - May 9, 2000

Event Summary

On 25 April 2000, MSNBC reported that Internet Security Solutions had identified a security "back door" in Red Hat Linux 6.2. The backdoor involves an "extra", but undocumented, administrative password that allows users to run rogue programs on a Red Hat server via a Web-based administrator's interface. To its credit, Red Hat responded and posted a fix within six hours of the report.

The news comes on the heels of reports earlier in the month that Microsoft had buried a "secret" password in its Web server software for Windows NT that derided Netscape engineers. The affected file was originally a part of Visual InterDev 1.0, but was also added to IIS 4.0 and Front Page 98.

Upon further study, researchers at CoreLabs in Buenos Aires found that the file, dvwssr.dll, was susceptible to buffer overflows, allowing an intruder to flood an NT server and expose a security hole. (The file originally contained the Netscape "commentary".) Microsoft originally denied the existence of a security hole, but later suggested that users delete the file.

Market Impact

There's a clear difference between Microsoft and Red Hat in their responses. Red Hat posted a fix within six hours of the MSNBC story. Microsoft has yet to issue a patch for its problem.

To be fair, the Red Hat breach is potentially more serious. Red Hat 6.2 servers running the Piranha Web GUI, as installed, use a known default password. Unauthorized users can use this password to access the site, and then run a change password command. The password change runs with full administrative privileges, and will execute any extra, embedded commands included with the password change. Red Hat should be commended for their swift response to the security hole.

In comparison, Microsoft spent three days even denying that there was a problem. To quote a Microsoft spokeswoman Luisa Vacca, "[I] t is a really, really miniscule vulnerability. In no way is it a back door in the product. It's a pinhole."

Microsoft has steadfastly maintained that Interdev 1.0 is really just a five-year-old piece of link checking software, so they will not issue a patch. However, the file is also included in IIS 4.0, NT Option Pack 4.0, and Front Page 98 - a far larger range of users. Microsoft also noted that upgrading to Windows 2000 fixes the problem.

User Recommendations

No software is perfect. For an OS vendor to pretend otherwise only undermines their credibility. These issues obviate the importance of monitoring security issues. There are several good sources on the Web for this - including InfoWorld SecurityWatch or TechnologyEvaluation.Com.

Red Hat 6.2 users should immediately download and apply the suggested RPMs from Red Hat's web site. And they should reset their passwords for Piranha.

Microsoft users should search for, and delete the affected file. But they should continue to press Microsoft for a better fix. Microsoft should patch the file, and include it in a published hot fix and a future NT Service Pack. In the end, we observe a real difference between a security-first policy and a marketing-first policy. A security policy, such as Red Hat's, swiftly addresses and fixes a problem. Unfortunately, Microsoft's marketing-first policy begins with denial, and swiftly suggests buying Windows 2000 Advanced Server (starting at US$809).

comments powered by Disqus