Microsoft's response to the Cult of the Dead Cow's "BackOrifice"

Title:	Microsoft's response to the Cult of the Dead Cow's "BackOrifice"
Date Issued:	August 4, 1998
Last Modified:	August 4, 1998
Code:	MS98-010
Source:	Microsoft
Microsoft Market Bulletin

Microsoft's response to the Cult of the Dead Cow's
"BackOrifice" tool 

Last Revision: August 4, 1998 

Summary
On July 21, a self-described hacker group known as the Cult of
the Dead Cow released a tool called "BackOrifice", and
suggested that Windows users were at risk from unauthorized
attacks. Microsoft takes security seriously, and has issued this
bulletin to advise customers that Windows 95Ž and Windows
98Ž users following safe computing practices are not at risk
and Windows NTŽ users are not threatened in any way by this
tool. 

The Claims About "BackOrifice"
According to its creators, "BackOrifice" is "a self-contained,
self-installing utility which allows the user to control and
monitor computers running the Windows operating system over
a network". The authors claim that the program can be used to
remotely control a Windows computer, read everything that the
user types at the keyboard, capture images that are displayed
on the monitor, upload and download files remotely, and redirect
information to a remote internet site. 

The Truth About "BackOrifice"
"BackOrifice" does not expose or exploit any security issue with
the Windows platform or the Microsoft BackOfficeŽ suite of
products. In fact, remote control software is nothing new - a
number of commercial programs are available that allow a
computer to be remotely controlled for legitimate purposes, like
enterprise help desk support. 

"BackOrifice" does not compromise the security of a Windows
network. Instead, it relies on the user to install it and, once
installed, has only the rights and privileges that that the user
has on the computer. For a "BackOrifice" attack to succeed, a
chain of very specific events must happen: 

     The user must deliberately install, or be tricked into
     installing the program 
     The attacker must know the user's IP address 
     The attacker must be able to directly address the user's
     computer; e.g., there must not be a firewall between the
     attacker and the user. 

What Does This Mean for Customers Running Windows 95
and Windows 98?
"BackOrifice" is unlikely to poses a threat to the vast majority of
Windows 95 or Windows 98 users, especially those who follow
safe internet computing practices. Windows 95 and Windows 98
offer a set of security features that will in general allow users
to safely use their computers at home or on the Internet. Like
any other program, "BackOrifice" must be installed before it can
run. Clearly, users should prevent this installation by following
good practices like not downloading unsigned executables, and
by insulating themselves from direct connection to the Internet
with Proxy Servers and/or firewalls wherever possible. Generally,
computers running Windows 95 and Windows 98 are not
vulnerable if: 

     The computer is not connected to the outside world 
     The computer is connected to the Internet through an
     Internet service provider that dynamically assigns IP
     addresses - as the vast majority of ISPs already do --
     cannot be remotely controlled. 
     The computer is on a network with a firewall or proxy
     server between it and the attacker. 

What Does This Mean For Customers Running Windows NT?
There is no threat to Windows NT Workstation or Windows NT
Server customers; the program does not run on the
Windows NT platform. "BackOrifice"'s authors don't claim that
their product poses any threat to Windows NT. Windows NT
Workstation and Server offer a comprehensive set of security
features that make it the best choice for business users'
mission-critical applications. 

What Customers Should do
Customers do not need to take any special precautions against
this program. However, all of the normal precautions regarding
safe computing apply: 

     Customers should keep their software up to date and
     should never install or run software from unknown sources
     -- this applies to both software available on the Internet
     and sent via e-mail. Reputable software vendors digitally
     sign their software to verify its authenticity and safety. 
     Companies should use the security features provided by
     Microsoft products, to prevent the introduction of this
     and other malicious software, and should monitor network
     usage to prevent insider attacks. 

                            
          Š 1998 Microsoft and/or its suppliers. All rights reserved. 
    For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.