Fixing Security Backdoors:
Red Hat 1, Microsoft 0
C.
McNulty - May 9, 2000
Event
Summary
On 25 April 2000, MSNBC reported that Internet Security Solutions had
identified a security "back door" in Red Hat Linux 6.2. The backdoor involves
an "extra", but undocumented, administrative password that allows users
to run rogue programs on a Red Hat server via a Web-based administrator's
interface. To its credit, Red Hat responded and posted a fix within six
hours of the report.
The news comes on the heels of reports earlier in the month that Microsoft
had buried a "secret" password in its Web server software for Windows
NT that derided Netscape engineers. The affected file was originally a
part of Visual InterDev 1.0, but was also added to IIS 4.0 and Front Page
98.
Upon further study, researchers at CoreLabs in Buenos Aires found that
the file, dvwssr.dll, was susceptible to buffer overflows, allowing an
intruder to flood an NT server and expose a security hole. (The file originally
contained the Netscape "commentary".) Microsoft originally denied the
existence of a security hole, but later suggested that users delete the
file.
Market
Impact
There's a clear difference between Microsoft and Red Hat in their responses.
Red Hat posted a fix within six hours of the MSNBC story. Microsoft has
yet to issue a patch for its problem.
To
be fair, the Red Hat breach is potentially more serious. Red Hat 6.2 servers
running the Piranha Web GUI, as installed, use a known default password.
Unauthorized users can use this password to access the site, and then
run a change password command. The password change runs with full administrative
privileges, and will execute any extra, embedded commands included with
the password change. Red Hat should be commended for their swift response
to the security hole.
In comparison, Microsoft spent three days even denying that there was
a problem. To quote a Microsoft spokeswoman Luisa Vacca, "[I] t is a really,
really miniscule vulnerability. In no way is it a back door in the product.
It's a pinhole."
Microsoft has steadfastly maintained that Interdev 1.0 is really just
a five-year-old piece of link checking software, so they will not issue
a patch. However, the file is also included in IIS 4.0, NT Option Pack
4.0, and Front Page 98 - a far larger range of users. Microsoft also noted
that upgrading to Windows 2000 fixes the problem.
User
Recommendations
No software is perfect. For an OS vendor to pretend otherwise only undermines
their credibility. These issues obviate the importance of monitoring security
issues. There are several good sources on the Web for this - including
InfoWorld SecurityWatch or TechnologyEvaluation.Com.
Red
Hat 6.2 users should immediately download and apply the suggested RPMs
from Red Hat's web site. And they should reset their passwords for Piranha.
Microsoft
users should search for, and delete the affected file. But they should
continue to press Microsoft for a better fix. Microsoft should patch the
file, and include it in a published hot fix and a future NT Service Pack.
In the end, we observe a real difference between a security-first policy
and a marketing-first policy. A security policy, such as Red Hat's, swiftly
addresses and fixes a problem. Unfortunately, Microsoft's marketing-first
policy begins with denial, and swiftly suggests buying Windows 2000 Advanced
Server (starting at US$809).