Russ Cooper, editor of Microsoft-software security site NTBugTraq, said it's just a bug, not a backdoor -- albeit one that Web site hosting services should quickly fix.
That could mean overtime for administrators at Web hosting sites like GeoCities and Tripod, but refutes a Wall Street Journal report that called the security flaw a "backdoor," which would give attackers easy access to others' Web sites.
Unfortunately, the file is part of the default installation of Web servers using NT 4.0 and Microsoft's Internet Information Service software. "The (security hole) is present is present on practically every machine that runs IIS 4.0," Cooper said.
While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
"'Netscape engineers are weenies!' was a dumb thing to put in there," said Cooper. "But if we took a dictionary cracker and went over Sun's code, we would find the same sorts of things."
Microsoft echoed that the security breach is not as severe as first reported. Nonetheless, the company will post to its www.microsoft.com/security web sote around noon PST a fix to the vulnerability, a spokeswoman said.
The spokeswoman added that the vulnerability is in the FrontPage extensions that are part of NT Server 4.0. She said the "Netscape weenies" Easter Egg file does not allow the security breach. Instead, the "weenies" phrase is one way to access the vulnerability.
Besides using the phrase, a hacker would need author priveleges in order to gain read-only access to Active Server Pages files, she said.
Mary Jo Foley contributed to this story.
