One week after Microsoft reported an intrusion into its corporate networks, another hacker claims to have penetrated the company's Web servers on Friday.
The Dutch hacker, using the alias 'Dimitri,' said that Microsoft failed to install a patch for a known bug in its Internet Information Server (IIS) software, and has not sufficiently secured its Web servers, he said in an interview with PC Advisor’s sister company, the IDG News Service.
He gained access to several of Microsoft's Web servers and was able to upload a short text file boasting of the hack to http://events.microsoft.com/, Dimitri said. He could alter files on Microsoft's download site, he said.
"I could add Trojan horses to software that MS customers download," said Dimitri.
A Microsoft spokesman confirmed that the hacker reached at least one server, but said that Microsoft security personnel were rechecking their servers for holes to patch.
"We investigated this report," spokesman Adam Sohn said. "He was able to exploit a known security flaw that we were able to patch. The patch had not yet applied to the server." He could not confirm that all servers in Microsoft's network had the hole patched.
The server was in semi-retirement, redirecting visitors to another area of the network with more updated content, he said.
"We are very focused on securing and maintaining the servers on our network," Sohn said. "From a security standpoint, there should be no difference between servers."
Dimitri said that he used the so-called Unicode bug to get access to Microsoft's systems. Microsoft first patched this security hole 10 August and issued a security bulletin 17 October pointing customers to the same software patch.
On its TechNet Web site Microsoft refers to the bug as the "Web Server Folder Traversal" vulnerability.
"It is extremely sloppy for Microsoft not to install it's own patches," Dimitri said.
Sohn denied that the security flaw was related to the intrusion Microsoft reported to the FBI on the 26 October. In that case, hackers gained access to unidentified source code under development for a future product.