By John Leyden, VNU Net
Microsoft’s internal network has been broken into for the second
time in as many weeks by a hacker who exploited the fact that the
software giant had not applied its own security patches.
Dimitri, the Dutch hacker involved in the attack, claims to have
broken into Microsoft’s web servers by exploiting a known
vulnerability with Internet Information Server (IIS).
The attack came days after Microsoft’s internal network was
broken into in a separate attack, believed to have been performed
using the QAZ Trojan.
During the latest attack, Dimitri said he was able to upload a
text file called ‘hack the planet’, boasting of his break-in, on to
events.microsoft.com, and that he had access to several other web
servers.
Dimitri claimed this would have allowed him to alter files or
even place Trojans on Microsoft’s site, but he said he stopped
short of exploiting this for ethical reasons.
A Microsoft spokeswoman refuted this claim and said only one
server, which was not hosting active content, had been
compromised.
“This was a security issue with one of our servers which had
recently been retired and was not hosting active content. It was
just redirecting traffic,” she said.
The server in question has been updated with the relevant
security patch, and the spokeswoman said she is confident that no
further damage to Microsoft’s systems has occurred.
The latest attack was performed by exploiting the Unicode bug to
IIS, a fix for which was first developed by Microsoft in August.
Subsequent to this, and after realising that the vulnerability was
more serious than first suspected, the software giant issued a
fresh alert on 17 October, which designated the patch as a critical
update.
Last week security firm ISS reported the “widespread
exploitation” of the Unicode bug, which it said allows remote
attackers to list directory contents, view files, delete files and
execute arbitrary commands. This is possible because the bug allows
attackers to use the Unicode character set to craft a web address
that access resources via IIS that would normally be
inaccessible.
Paul Rogers, network security analyst at MIS Corporate Defence
Solutions, said it is difficult for Microsoft to justify not
applying its own security patches, and that the failure suggests a
“lax” attitude to security by the software giant.
The Microsoft spokeswoman defended its approach to security and
said as a leading IT company it is an expert in the field.
Asked to square this with recent high-profile attacks, she said:
“If hackers are really determined to get into systems, they can
always find a way.”