Microsoft Security Bulletin MS98-010 - Critical
Information on the "Back Orifice" Program
Published: August 04, 1998 | Updated: August 12, 1998
Last Revision: August 12, 1998
On July 21, a self-described hacker group known as the Cult of the Dead Cow released a program called "Back Orifice," and suggested that users of the Microsoft® Windows® operating system were somehow at risk from unauthorized attacks. Microsoft takes security seriously, and has issued this bulletin to advise customers that users of Windows 95 and Windows 98 following safe computing practices (including not installing software from unknown and untrusted sources) are not at risk. Additionally, users of the Microsoft Windows NT® operating system and the Microsoft BackOffice® suite of products are not threatened in any way by this tool, because it does not even run on Windows NT Server.
The Claims About "Back Orifice"
It is unclear from the author's statements what "Back Orifice" is intended to do. In the press release that accompanied its release, "Back Orifice" is alternately described as an administrative tool or as something that demonstrates some security vulnerability in the Windows platform.
The author claims the program can be used for purposes such as:
- Remotely controlling and monitoring a computer running Windows
- Reading everything that the user types at the keyboard
- Capturing images that are displayed on the monitor
- Uploading and downloading files remotely
- Redirecting information to a remote Internet site
It is important to understand that programs allowing users to remotely control their computer should be installed with caution because they have the potential to be misused. Users should not install such types of programs from unknown bulletin boards or hacker web sites. There are many well-supported commercial tools from reputable vendors that provide this functionality to users today.
The Truth About "Back Orifice"
"Back Orifice" does not expose or exploit any security issue regarding Windows, Windows NT, or the Microsoft BackOffice suite of products.
As far as demonstrating an inherent security vulnerability in the Windows platform, this is simply not true. "Back Orifice" could introduce security vulnerabilities in the system on which it is installed, but, as with all other software, a user must make the choice to install it. Anytime users install software from unknown or untrusted sources, they risk compromising their system.
Based on our investigation of this program, it is our understanding that in order for "Back Orifice" to introduce a security vulnerability on a system, a very specific chain of events must occur:
- The user must deliberately install, or be tricked into installing the program on his or her machine.
- The attacker must know the user's IP address.
- The attacker must be able to directly connect to the user's computer. A properly configured firewall will prevent a direct connection and thus defeat a "Back Orifice" attack.
What Does This Mean for Customers Running Windows 95 and Windows 98?
Windows 95 and Windows 98 offer security features tailored to match consumer computer use. This consumer design center balances security, ease of use, and freedom of choice. The security features in Windows 95 and Windows 98 enable consumers to create a safe computing environment for themselves while preserving their freedom to choose which sites they visit and what software they download. However, neither operating system is designed to be resistant to all forms and intensities of attacks. The "Back Orifice" program is a good example of why consumers need to be careful about accessing, downloading and installing software from the Internet. Users should prevent the installation of potentially dangerous software including software from untrusted sources, by following good practices such as not downloading "unsigned" programs. Corporations and ISPs should insulate themselves from direct connection to the Internet with proxy servers or firewalls, and should consider blocking unsigned programs at the firewall. Users who follow reasonable and safe Internet computing practices, such as not installing software from unknown and untrusted sources, are unlikely to be affected by the "Back Orifice" tool. However, consumers whose computing needs require a higher level of security should consider Windows NT Server.
What Does This Mean For Customers Running Windows NT Server?
There is no threat to customers of Windows NT Workstation or Windows NT Server because the program does not run on the Windows NT platform. The authors of "Back Orifice" do not directly claim that their product poses any threat to Windows NT Server, even though it seems to be implied.
What Customers Should Do
Customers do not need to take any special precautions against external "attacks" from this program, since it would need to be installed on their system before any vulnerabilities could be created. However, customers should ensure that they follow all of the normal precautions regarding safe computing:
- Customers should keep their software up to date and should never install or run software from unknown sources -- this applies both to software available on the Internet and sent via e-mail. Reputable software vendors digitally sign their software available on the Internet to verify its authenticity and safety.
- Corporate administrators can block software that is not digitally signed by a reputable or authorized software company at their proxy server or firewall.
- Customers should keep their software up to date to ensure that hackers cannot take advantage of known issues.
- Companies should actively use auditing and monitor their network usage to deter and prevent insider attacks.
The following sources provide additional information about this issue:
- ISS Security Alert Advisory, "Cult of the Dead Cow Back Orifice Backdoor" http://www.iss.net/xforce/alerts/advise5.html
- August 4, 1998: Bulletin Created
- August 7, 1998: Bulletin Updated, minor changes and additional links
- August 12, 1998: Bulletin Updated with more information on Windows 95 and Windows 98
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00