From secure@MICROSOFT.COM Wed Aug 5 13:23:43 1998 From: Microsoft Product Security Response Team To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Wed, 5 Aug 1998 08:21:26 -0700 Subject: Microsoft Security Bulletin (MS98-010) Microsoft Security Bulletin (MS98-010) ----------------------------------------------------------------------- - Information on the BackOrifice Program Last Revision: August 04, 1998 Summary ======= On July 21, a self-described hacker group known as the Cult of the Dead Cow released a tool called BackOrifice, and suggested that Windows users were at risk from unauthorized attacks. Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95(r) and Windows 98(r) users following safe computing practices are not at risk and Windows NT(r) users are not threatened in any way by this tool. The Claims About BackOrifice ============================ According to its creators, BackOrifice is "a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network". The authors claim that the program can be used to remotely control a Windows computer, read everything that the user types at the keyboard, capture images that are displayed on the monitor, upload and download files remotely, and redirect information to a remote internet site. The Truth About BackOrifice =========================== BackOrifice does not expose or exploit any security issue with the Windows platform or the BackOffice(r) suite of products. BackOrifice does not compromise the security of a Windows network. Instead, it relies on the user to install it and, once installed, has only the rights and privileges that that the user has on the computer. For a BackOrifice attack to succeed, a chain of very specific events must happen: - The user must deliberately install, or be tricked into installing the program - The attacker must know the user's IP address - The attacker must be able to directly address the user's computer; e.g., there must not be a firewall between the attacker and the user. What Does This Mean for Customers Running Windows 95 and Windows 98? ==================================================================== BackOrifice is unlikely to pose a threat to the vast majority of Windows 95 or Windows 98 users, especially those who follow safe internet computing practices. Windows 95 and Windows 98 offer a set of security features that will in general allow users to safely use their computers at home or on the Internet. Like any other program, BackOrifice must be installed before it can run. Clearly, users should prevent this installation by following good practices like not downloading unsigned executables, and by insulating themselves from direct connection to the Internet with Proxy Servers and/or firewalls wherever possible. What Does This Mean For Customers Running Windows NT? ===================================================== There is no threat to Windows NT Workstation or Windows NT Server customers; the program does not run on the Windows NT platform. BackOrifice's authors don't claim that their product poses any threat to Windows NT. What Customers Should do ======================== Customers do not need to take any special precautions against this program. However customers should ensure that they follow all of the normal precautions regarding safe computing: - Customers should not install or run software from unknown sources -- this applies to both software available on the Internet and sent via e-mail. Reputable software vendors digitally sign their software to verify its authenticity and safety. - Corporate administrators can block software that is not digitally signed by a reputable or authorized software company at their proxy server and/or firewall. - Customers should keep their software up to date to ensure that hackers cannot take advantage of known issues. - Companies should use actively use auditing and monitor their network usage to deter and prevent insider attacks. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-010, Information on the BackOrifice Program (the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-010.htm Revisions ========= August 04, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ----------------------------------------------------------------------- -- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.