Since the embarrassing admission of the hack attack of its corporate network, Microsoft has suffered two more high profile attacks, both of which hit its Web site. The attacks on Microsoft's Web site, which runs on Windows NT/2000 and the company's IIS Web server, were breached using known vulnerabilities of the products. What's amazing is that fixes for these vulnerabilities had been available--from Microsoft--for some time, but they'd never been applied to the site. A hacker known only as Dmitri performed both hacks: In his first attack, he simply added a text file with the words "Hack the planet" to the site, without damaging any of the other files. His second attack goaded Microsoft for not fixing the problem that let him into the site in the first place: He added a new page to the site that reads, "Patching your system is very hard, huh?" Dmitri forwarded the address of the new page to journalists and other hackers to prove that he had broken into the site.
Microsoft spokesperson Adam Sohn described the attacks as "unfortunate and annoying" but said that they weren't serious: The affected servers are only used to route traffic between other Web servers, he says. And Sohn isn't sure why those machines didn't have the patches that might have prevented the problem applied, describing it as an exception. "Certainly, the timing is unfortunate," Sohn told The Standard this week, noting that the two Web server attacks come less than two weeks after Microsoft's network was breached by hackers. "Every organization has a security team that tells you they can do better. For us, security is a journey, not a destination." Another spokesperson said that the server Dmitri accessed was being retired anyway.
Sohn also offered an interesting update on the original Microsoft attack, adding yet another version to Microsoft's increasingly changing story. Sohn says that the hackers gained access to Microsoft's network as early as September 19, 2000, using the logon and password for an employee to gain access. On October 14, Microsoft discovered that the hacker had elevated his security privileges and began monitoring his activities, which ended on October 25. Sohn defended the fact that the hacker had at least two weeks of unmonitored activity in the network, noting that the employee's account he was using had only limited capabilities. Sohn says that the source code for Office and Windows was not compromised, though it's possible that the source code for a single unnamed future product was seen.
The recent Web site attacks, admittedly, were less dangerous. But with Microsoft under increasing scrutiny for security, it's curious that the company isn't taking this more seriously. As we move forward to a world of Internet-based software services, security will only become more important