July 3, 2007 7:53 AM PDT

Details on defacement of Microsoft's U.K. Web site

Details have emerged of an attack which defaced Microsoft's U.K. Web site.

Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.

It is likely that the company's U.K. site, which was breached on Wednesday, was subverted using an SQL injection, in which hackers exploit application vulerabilities to alter server settings or mine data, according to Zone-H, which has also run a picture of the defacement.

"Most probably, the attacker exploited the site by means of SQL injection to insert HTML code in a field belonging to the table which gets read every time a new page is generated," Zone-H said on its site.

Microsoft said it is investigating the breach. "Microsoft has learned of a criminal attempt to deface a subsite of Microsoft.com," the company said in a statement. "Upon notification of the criminal activity, Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity.

"Microsoft is not currently aware of any customer impact as a result of this criminal activity but will continue to investigate the incident and take any necessary action to help protect customers. In addition, the defaced Web site was restored to its original content within hours.

"We apologize if customers are inconvenienced by the unavailability of the affected Web site. Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to ensure the continued security of the Web site."

Ed Gibson, Microsoft's chief security adviser in the U.K., played down the impact of the security breach. "I think it's always difficult when any company suffers from an intrusion by a criminal organization," he said. "As to the question of long-standing damage--(Microsoft will not suffer), because that particular matter was cleaned up quickly.

"Criminals are always trying to steal or break into systems--it shows we can't be complacent. By all of us working as an industry to make the (ecosystem) better, we'll continue to make it better tomorrow. Unfortunately, these things happen."

Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested."

"When building commercial software for databases," he added, "there's a finite amount of time to test it. Software is never bug-free." It is understood that it was not an Oracle database that was subverted.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
defacement, SQL injection, hacker, Oracle Corp., SQL

23 comments

Join the conversation!
Add your comment
Microsoft website got hacked...
again.
nothing to see here.
Posted by FuturDreamz (28 comments )
Reply Link Flag
Thanks for wasting 10 seconds of my life
On a useless post, now we are even.
Posted by rickybscs (4 comments )
Link Flag
Switch to a secure system: BSD or Solaris!
Gartner group already said: If you're concerned about web server security stay the hell away from IIS.
Posted by Maccess (610 comments )
Link Flag
Eat your own dogfood.
"working together as an industry..."

Is this a joke? We've been working together, almost without the industry, and we've made a more secure os and web server, etc...

Linux/Solaris/BSD and apache, all the way. If you wanted to see evidence of M$'s inferior software, here it is, right on their own site, for the world to see. Naturally if they used something better than what they make their stocks would drop...
Hence the title of my post.
--typed in colemak--
Posted by ethana2 (348 comments )
Reply Link Flag
Ditto...
You act like none of those systems have ever been hacked! What kind low-grade moron are you? This appears to be a SQL injection attack, something that's been happening to software from all the above vendors as well as MS. If this was some class of attack that uniquely targeted only MS software you might have a basis for your statement but this is most certainly not a unique to MS problem and your post only shows you just like to pile on mindlessly.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
I don't care about
who is better and who is not, only until people figure out a way to track and prosecute these criminals, will "all" of us be safe.

If MS goes down for not being secure enough, then the attackers will find another. It will not end. A secure product is only good if it is necessary to have one. It should not be so.
Posted by suyts (824 comments )
Link Flag
We're talking Microsoft public web site here!
This should be Microsoft display window of technical know-how: the security of Windows 2003, the security of SQL server, the security of IIS (with all the security analysis tools), the security of the firewall.

If THEY can't secure their web site, what hope is there for the rest of us?

I know that in theory most sites are far less a risk than Microsoft, because they are not high-profile Microsoft.
Nevertheless, in my previous company, we were RELENTLESSLY attacked (we analysed the log files and traced many of the culprits) and were NEVER defaced or breached (we used Sun hardware, Solaris OS, proper rules on Cisco routers, and a non Microsoft software firewall).
Posted by jmdunys (49 comments )
Reply Link Flag
High profile
Secure software is secure if it has 1 user or 100 million.

Number of users and security is disjoint.
Posted by qwerty75 (1164 comments )
Link Flag
not a very good show of
.net programming
Posted by DrtyDogg (3084 comments )
Link Flag
Where is the pic
Hi, anyone got any pic of it disfaced can you send to my email: chew_jek_hui@hotmail.com. I wish to post it in my personal blog(<a class="jive-link-external" href="http://jekhui.blogspot.com" target="_newWindow">http://jekhui.blogspot.com</a>) Thanks
Posted by chewjekhui (2 comments )
Reply Link Flag
"Software is never bug-free."
Of all the statements in this article, the one that best defines Microsoft is this, "Software is never bug-free."

I've been designing and writing software for a variety of applications for about 30 years. Whenever I hear someone say that same tired line I'm immediately alerted to the likelihood that this person says that because he's written so much buggy code he can't believe it's possible not to.

NOT ALL SOFTWARE HAS BUGS!! It is not decreed in some celestial rulebook that programs, regardless of size and complexity, must contain some minimum amount of crappy, bug-invested code! That idea is the product of a mindset that also produces the kind of feeble, bug-ridden software that Microsoft has been pushing out for decades!

It has also produced the type of "quality control" for which they have become notorious. One which has relied on the customer to find, report and often fix the bugs their "engineers" would or could not.

It's nice to see that in this case at least, they are feeling the effects of their shoddy design and implementation. Perhaps that will teach them a lesson that many years of customer complaints have not.
Posted by samplesize (8 comments )
Reply Link Flag
"Software is never bug-free"
Perhaps you should step off of your soapbox and work on your reading since you already perfected your code writing :-)

The quote you reference was made by Oracle.


Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested."

"When building commercial software for databases," he added, "there's a finite amount of time to test it. Software is never bug-free." It is understood that it was not an Oracle database that was subverted.
Posted by Shakingmy head (48 comments )
Link Flag
Quote:
&gt;"Perhaps that will teach them a lesson that many years of customer complaints have not."&lt;

Don't hold your breath!!!!!!!!!! :p
Posted by btljooz (401 comments )
Link Flag
:^0 So..... :^0
M$ gets [b][u]DOUBLE[/u][/b] stung!
:^0 ROTFLMAO :^0 !!!!!!!!!!!!

1. Their OWN [i]software[/i] is breached.

2. They [b]outsourced[/b] their site to a THIRD PARTY.

That's what they get for shoddy workmanship on [i]their software[/i] [u]and[/u] for [b]outsourcing[/b] something they could have done themselves to begin with! ]:)

:^0 ROTFLMAO :^0 !!!!!!!!!!!!

You suppose that maybe they'll [u]LEARN[/u] from this experience? ...naw, M$ learn?...nah ...oh, well.....

Still :^0 ROTFLMAO :^0 !!!!!!!!!!!! ]:)
Posted by btljooz (401 comments )
Reply Link Flag
Oracle Weenie
People could pretty much figure out which, if any, database was compromised without an Oracle weenie chiming in.
Posted by jnewman (4 comments )
Reply Link Flag
Yeah, but...
...but it was still funny. :D

Oracle charges a metric as$load for their software, but for good
reason - the stuff is iron-clad.

(OTOH, I can rig a MySQL or PostgreSQL server that would be
just as reliable and secure... and MySQL seems good enough for
Google, which has a somewhat sizeable set of DB's from what I
hear).

/P
Posted by Penguinisto (5042 comments )
Link Flag
Interesting Quote:
"[i]Upon notification of the criminal activity, Microsoft took the
appropriate action to resolve the issue and stop any additional
criminal activity.[/i]"

So... did they install a LAMP server then? :P

Seriously - I bet the IIS or Windows hole got patched a hell of a
lot faster than it would've if it had been some ordinary
schmuck's website...

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
Oh really?
I weep for microsoft, but my tears are from laughter!
Posted by gwats1957 (117 comments )
Reply Link Flag
:D ROTFLMAO
Hahaha

Microsoft doesn't deserve *ANY* sympathy for this. There is no such thing as bug free software says Oracle, and as a software developer myself, I agree with that sentiment. But, there are differences in quality. Unlike some programmers, I actually make an attempt to test the software that I write. For quality, Oracle, Apple, *BSD, and Linux is up there in the top teir, and Microsoft is...well...I think the article speaks for itself.

After years of dropping turds on the computer industry (Vista is the latest one), it's finally coming back to bite them in the a$$.
Posted by Maelstorm (130 comments )
Reply Link Flag
Microsoft is always investigating something!
They investigate because they don't believe it to be so. Even if it can be prove, they still don't want to accept it until they can investigate. And their investigations take for ever.

SQL injection has been a problem for quite some time, thus it's nothing new. Microsoft should have already known about this but if they knew about it and they did something about it, such defacement wouldn't have happened now would it. (* GRIN *)

If Microsoft spent as much time debuging code prior to release as they spend on investigating "after the fact"... they would end up with better code, but hey... they've hardly learned anything in the past 20 years... so why expect them to learn something new now?

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.