We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Another hacker hits Microsoft

Here we go again

One week after Microsoft reported an intrusion into its corporate networks, another hacker claims to have penetrated the company's Web servers on Friday.

The Dutch hacker, using the alias 'Dimitri,' said that Microsoft failed to install a patch for a known bug in its Internet Information Server (IIS) software, and has not sufficiently secured its Web servers, he said in an interview with PC Advisor’s sister company, the IDG News Service.

He gained access to several of Microsoft's Web servers and was able to upload a short text file boasting of the hack to http://events.microsoft.com/, Dimitri said. He could alter files on Microsoft's download site, he said.

"I could add Trojan horses to software that MS customers download," said Dimitri.

A Microsoft spokesman confirmed that the hacker reached at least one server, but said that Microsoft security personnel were rechecking their servers for holes to patch.

"We investigated this report," spokesman Adam Sohn said. "He was able to exploit a known security flaw that we were able to patch. The patch had not yet applied to the server." He could not confirm that all servers in Microsoft's network had the hole patched.

The server was in semi-retirement, redirecting visitors to another area of the network with more updated content, he said.

"We are very focused on securing and maintaining the servers on our network," Sohn said. "From a security standpoint, there should be no difference between servers."

Dimitri said that he used the so-called Unicode bug to get access to Microsoft's systems. Microsoft first patched this security hole 10 August and issued a security bulletin 17 October pointing customers to the same software patch.

On its TechNet Web site Microsoft refers to the bug as the "Web Server Folder Traversal" vulnerability.

"It is extremely sloppy for Microsoft not to install it's own patches," Dimitri said.

Sohn denied that the security flaw was related to the intrusion Microsoft reported to the FBI on the 26 October. In that case, hackers gained access to unidentified source code under development for a future product.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

2015 creative trends: 20 leading designers & artists reveal the biggest influences & changes coming)......

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad