"Back Door" in IIS Proves More Embarrassing Than Dangerous

Reports of a “back door” in Internet Information Server (IIS) 4.0 proved to be more embarrassing than dangerous. After a flurry of conflicting reports and three revisions of the Security Bulletin that describes the problem, a clear analysis and patch are now available. Initial reports incorrectly stated that a back door existed in IIS 4.0 and further, it could be accessed with the pass-phrase “Netscape Engineers are Weenies!” While this phrase was embedded in an “obsolete” DLL and used as an encryption key, it does not allow unauthorized users gain access to a Web server.

However, the final analysis reveals that the suspect DLL, dvwssr.dll, does exist on most IIS 4.0 servers and contains an all-too-familiar buffer overflow bug. Microsoft has issued dozens of patches for buffer overflow bugs in a wide range of products over the past year. The primary risk with a buffer overflow is that a hacker could crash the system or execute malicious code of his or her choosing by passing specific strings to the vulnerable DLL.