Why Songbird Doesn't Support Microsoft FrontPage[From Wired News, available online at: http://www.wired.com/news/print/0,1294,38410,00.html] MS Fixes FrontPage Hole, Quietly by Michelle Delio 11:15 a.m. Aug. 24, 2000 PDT Microsoft has quietly plugged a security hole in FrontPage Server Extensions. The hole made Web servers vulnerable to denial-of-service attacks similar to the ones that crippled Yahoo, eBay, and Amazon.com in February. But was fixing the problem enough? Some security specialists and Web administrators say no, and believe that Microsoft was hoping to slip the solution to its latest problem silently onto servers. "I don't think they specifically tried to hide it, but they seem to have been trying to avoid any undue attention by discreetly bundling the fix with a service pack," said "Sozni" of Xato Network Security. "It is kind of like throwing a couple of personal deductions in with the business deductions on your tax forms, and hoping the IRS won't notice them." Sozni was the first to find the hole that left FrontPage Server Extensions open to denial-of-service attacks. He said he informed Microsoft of the hole on July 5. Microsoft acknowledged the problem and asked Sozni not to release any information on the vulnerability until they could produce a fix. Microsoft later indicated to Sozni in an e-mail that the company planned to include the fix in Version 1.2 of the program. "Since service releases are planned releases rather than emergency fixes, we can test them more thoroughly than patches," the e-mail said. "In addition, the uptake rate for service releases is significantly higher than for patches, so adding the change via a service release would get it into more customers' hands." Version 1.2, with the hole patched, was released on August 15. That didn't exactly satisfy Sozni. "The issue isn't that they didn't fix the problem right away, it was that they did not issue a security bulletin and the download was placed in what seemed to me... an obscure location on Microsoft's website. I even had trouble finding it until I saw a link in someone else's e-mail to bugTraq," Sozni said. "It would have been more responsible if they had publicly acknowledged the problem and issued a security advisory." A Microsoft spokesperson said that Microsoft is currently working on additional knowledge-base articles detailing every fix included in the FrontPage Service Release 1.2. These articles will be available shortly on the Microsoft security website. "Sozni is right, there is a big, bad hole and Microsoft didn't tell us about it," said Jerry Quevado, a systems administrator for a Fortune 500 company who asked that his employers' name be withheld because he hasn't upgraded to Version 1.2 yet. "I knew there was a new version of Server Extensions available but wasn't aware of any compelling reason why I needed to upgrade immediately. There was no mention made at www.microsoft.com/security, which I check regularly, that there were major security issues that have been addressed with this release." "And I can't be the only one. I'd bet there are probably hundreds of thousands of servers vulnerable to DoS attacks through FrontPage Server Extensions," Quevado said. Sozni says that someone would have to be "playing around specifically looking for holes" in order to find this particular vulnerability. To exploit the hole that Sozni found, a user must request a URL through the shtml.exe component of the FrontPage Server Extensions. The requested URL must include a DOS device name followed with the .htm extension, such as http://www.example.com/_vti_bin/shtml.exe/com1.htm. When this type of URL is sent to the server, all FrontPage operations become disabled for that website. If the server hosts multiple sites, only the one that received the request will become disabled. By disabling the FrontPage Server Extensions, all Web authoring, Web administration, WebFolders, InterDev, and WebBot operations for that site will be blocked. "You could lock people out of an intranet or Internet site, you could cripple e-commerce on a competitor's site by knocking out online order forms, and all the while the site will appear to be functioning normally. And given that any kid can DoS websites, this is a big hole," said Quevado. Sozni also discovered a secondary problem when sending URLs with certain DOS device names such as MAILSLOT, PIPE, and UNC -- these requests reveal information about the server's physical path. For example, by sending the URL http://www.example.com/_vti_bin/shtml.exe/pipe.htm, the following error message will come back: Cannot open "C:InetPubwwwrootpipe.htm": no such file or folder. Daniel Docekal, editor of Svet Namodro, a daily IT newspaper published in the Czech Republic, isn't surprised that Microsoft didn't publicize the Server Extensions problem. "They have developed recently a very bad habit of hiding problems," he said. Docekal said that four weeks ago, when the "Translate:f" security bugs first surfaced, he attempted to contact Microsoft to tell them that all of their websites have "this funny security problem -- anybody can read sources, anybody can grab passwords." It took about 20 angry letters, the assistance of Czech Microsoft, and "notifying many, many Microsoft people," says Docekal, for him to get any response from the company. "Not that I have ever gotten a "thank you" from them, all I have are stupid responses from secure@microsoft.com. It took them three weeks to fix it." Sozni also wanted to be thanked, and given some acknowledgement for Xato's "having given them so much of our work for free," something he does have a right to expect according to Microsoft's official acknowledgement policy. He added that Microsoft had been very responsible about publicizing security alerts over the past year, but says that this time it did seem like the company "reverted to their old way" of dealing with security issues. "It's hard enough keeping on top of the security fixes we know about without having other ones being slipped in from behind," he said. "If there is a security issue, it needs to be made public so it can be fixed." © Copyright 1995-2000, Songbird. All Rights Reserved |