At the end of week 15 a supposedly serious security issue was reported in Internet Information Server with FrontPage extensions installed.

The first reports said that the presence of the file dvwssr.dll on the server exposes a secret backdoor which enabled access to the server by using the password

"!seineew era sreenigne epacsteN"

(That is "Netscape engineers are weenies!" spelled backwards.)

According to media, Microsoft confirmed this backdoor. However, as new information emerged the existence of a backdoor was denied.

Microsoft's Security Bulletin MS00-025 was released Friday 14 April and has later been revised two times.

Current information says that there is a vulnerability. Providing settings on the abovementioned .dll file have been changed from the default settings, it is possible to crash the web server, and potentially run arbitrary code on the server.

The dvwssr.dll is part of Visual Interdev 1.0. It is included in the following products:

• Microsoft Windows NT 4.0 Option Pack (which includes Internet Information Server 4.0
• Personal Web Server 4.0, which is part of Windows 95 and 98
• Front Page 98 Server Extensions, is part of Front Page 98.

To eliminate the vulnerability web server managers are advised to delete all instances of the file dvwssr.dll from the servers. The only functionality which is lost by this is the ability to generate link views of .asp pages using Visual Interdev 1.0.

In addition to the Security Bulletin mention above, Microsoft also has issued a Frequently Asked Questions about this vulnerability.

Per Olav Førland