One week after Microsoft Corp. disclosed that an intruder had broken into its computer network, the software vendor last Friday confirmed claims by another hacker who said he had managed to penetrate at least one of the company's Web servers.
The Dutch hacker, who uses the alias "Dimitri," said in an interview that Microsoft had failed to install a patch for a known security hole in its Internet Information Server (IIS) software, leaving at least some of its Web servers vulnerable to attack. "It is extremely sloppy for Microsoft not to install its own patches," Dimitri added.
Microsoft last month contacted IIS users and "strongly" urged them to install the patch in order to plug the hole exploited by Dimitri, which lets attackers read and execute files on unprotected Web servers (see story). But a Microsoft spokesman said it's "hard to give an absolute certainty that the patch had been applied across the board" by the software vendor itself.
Dimitri claimed that he gained access to several of Microsoft's Web servers and was able to upload a short text file detailing the attack to a system that had been used to provide information about upcoming Microsoft events. The hacker also said he had the ability to alter files on the download portion of Microsoft's Web site.
In addition, Dimitri said he downloaded encrypted files containing administrative user names and passwords to Microsoft's Web server. The files could be decoded, he said. But he added that he had not decoded them and doesn't plan to do so.
Microsoft spokesman Adam Sohn confirmed that the hacker reached at least one Web server, and he said the company's information security personnel were in the process of rechecking its other systems to see if any remaining holes need to be patched.
"We investigated this report," Sohn said. "[Dimitri] was able to exploit a known security flaw that we were able to patch. The patch had not yet been applied to the server." Sohn added that he couldn't confirm that all of Microsoft's Web servers have now been updated with the patch.
The server known to be affected was in semiretirement and currently is used only to redirect users to another part of Microsoft's Web site that has more up-to-date content, Sohn said. "Before, it hosted events content," he noted. "[But] it had recently been retired from its former uses. It wasn't really hosting any content at all."
Microsoft is "very focused on securing and maintaining the servers on our network," Sohn said. "From a security standpoint, there should be no difference between servers. Would we prefer that our [internal security] people put patches in on the same day they come out? Sure."
The patch that plugs the IIS hole exploited by Dimitri was originally issued by Microsoft in August to fix a less-serious security flaw in the Web server software. Microsoft last month discovered that the patch would also take care of the newly discovered -- and potentially more damaging -- hole, which the company refers to as a "Web server folder traversal" vulnerability.
Sohn said the intrusion by Dimitri was unrelated to the attack that Microsoft reported to the FBI on Oct. 26. In that case, malicious hackers were able to view source code being developed for an unidentified future product by using an attack program hidden in e-mail. The two incidents "had nothing to do with each other," said Rick Miller, another Microsoft spokesman. "It's like comparing apples and oranges."
However, the disclosure of two hacks in little more than a week is raising questions about the extent of the security weaknesses in Microsoft's network. Security experts who have been able to confirm the intrusion through access logs provided by Dimitri said Microsoft must tighten its defenses.
"They shouldn't be vulnerable to this," said Ryan Russell, technical editor of the SecurityFocus.com Web site. "If they had anything interesting on the server, he could have gotten into it."
Dimitri "didn't have to be a rocket scientist" to get into Microsoft's server using a known security bug, added Paul Zimski, a security researcher at Internet security firm Finjan Software Inc. in San Jose.
Sohn conceded that the size of Microsoft's network -- and the allure to hackers of breaching the company's security -- make defending its systems an ongoing challenge. "Microsoft is a high-priority target," he said. "There is always a possibility that hackers can get into any network. There are bad people out there that will try to do bad things."
Related links:
- For more security coverage, visit our Security Watch page.
- Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).