Adding insult to injury, Microsoft's network was once again cracked for the second time in two weeks. The most recent break-in was perpetrated last Friday by a Dutch cracker using the name "Dimitri", who gained entry to the Microsoft Events Web server, which is used to inform the public of the company's scheduled events. A message on the site says the Web is being retired and directs users to the new site.
Dimitri gained access to the server by exploiting a known problem in Internet Information Server (IIS), which Microsoft created a patch for (MS00-057) in August of this year. The company subsequently added a related fix to the patch (MS00-078) in October and urged administrators worldwide to ensure the new IIS patch was applied. However, Microsoft apparently failed to apply the patch to at least one of its own exposed IIS servers.
The bug exploited by Dimitri pertains to the use of specially formatted URLs that contain UNICODE characters, which allow a remote user to traverse Web folders on the logical drive. The end result is that an attacker could perform any action that a locally-logged on user could perform.
According an IDG news report, Dimitri claimed to have viewed sensitive architectural characteristics of Microsoft Web servers, learning that they belong to a domain called "Houston" where each system is set up with the same disk image. In addition Dimitri uploaded a text file to the site that contained the phrase "Hack the planet", and claims to have downloaded files that contain administrative user names and passwords. The cracker claims that as a result of the break-in he also gained access to Microsoft's download site and where he could have inserted Trojans into the company's downloadable software.
Microsoft didn't become aware of the break-in until Dimitri had contacted IDG News--the news service susequently contacted Microsoft to report the intrusion. A Microsoft spokesperson confirmed the break-in, stating the company's security teams would recheck their systems to ensure that patches had been applied. However, Microsoft security teams apparently didn't recheck the systems quick enough. On Tuesday, four days after the intial break-in and Web site defacement, the Microsoft Events server remained unpatched and Dimitri struck again. This time the Dutch hacker uploaded a file named oopsididitagain.htm that said "Patching your systems is very hard huh". A second line said "MSG to Britney Spears: I loved your concert in the netherlands \[sic\]." A mirror of the the latest crack is available in the Attrition.org archives.
- Do you have the IIS "Web Server Traversal" patch loaded? If not, click here to put a reminder on your calendar!