http://news.cnet.com/news/0-1003-200-5933518.html?tag=mn_hd [It appears I reposted a news story as old as the six-pack of Molson's Canadian I found in my garage, smuggled into the U.S. from my last road trip to the Great White North back in early 2000. I will try not to post any stories of the same vintage as the Point Beer Winter Bock that I found also in the same corner of my garage. Thanks to *ALL* the readers that pointed this M$ advisory out to me. :) -=- WK] By Robert Lemos Special to CNET News.com May 15, 2001, 10:00 a.m. PT More than a year after it was originally reported, the "Netscape engineers are weenies!" security hole in Microsoft software made a brief comeback Monday and Tuesday on Yahoo's Small Business portal. A three-paragraph account on the bug--originally reported April 14, 2000--appeared without a date or byline on Yahoo's site, stating: "Last Thursday, Microsoft admitted its engineers planted a secret password in its software that could be used to gain illegitimate access to hundreds of thousands of Internet sites worldwide." Microsoft stressed that the report isn't new. "It's a year-old problem," said a Microsoft representative. "We are trying to get through to Yahoo to see what it's doing up there." Several readers contacted CNET News.com Tuesday seeking further information about the Yahoo report. While originally reported as a "back door"--a secret password that gives full access to another person's system--the "weenies" flaw is actually an inadvertent bug in a dynamic link library, or DLL, file known as "dvwssr.dll" that allows access to a Web site's active server pages. However, to access the pages, would-be intruders need to use a key to encode Web page names. The key is "!seineew era sreenigne epacsteN"--or "Netscape engineers are weenies!" spelled backwards--a holdover from Microsoft's browser war with Netscape. The file with the security flaw is provided by Microsoft to support its Visual Interdev 1.0 application, an older, rarely used program that helps Webmasters track broken links. Though few people use it, the file is part of the default installation for Web servers using Windows NT 4.0 and Microsoft's Internet Information Service 4.0 software as well as Microsoft's FrontPage 98 software and its Personal Web Server 4.0. Yahoo apparently removed the article around 9 a.m. PDT Tuesday, but a Yahoo representative could not immediately explain the report. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 00:48:35 PDT