Home Phone and Internet $60/mo
- Related Stories
-
Microsoft's lessons from the desktop
June 27, 2007 -
JavaScript bug-hunting tool demonstrated
March 24, 2007 -
Tool turns unsuspecting surfers into hacking help
March 20, 2007 -
New hacker trick may expose Oracle databases
March 1, 2007 -
Microsoft to lift lid on hacker conference
March 17, 2006
Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.
It is likely that the company's U.K. site, which was breached on Wednesday, was subverted using an SQL injection, in which hackers exploit application vulerabilities to alter server settings or mine data, according to Zone-H, which has also run a picture of the defacement.
"Most probably, the attacker exploited the site by means of SQL injection to insert HTML code in a field belonging to the table which gets read every time a new page is generated," Zone-H said on its site.
Microsoft said it is investigating the breach. "Microsoft has learned of a criminal attempt to deface a subsite of Microsoft.com," the company said in a statement. "Upon notification of the criminal activity, Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity.
"Microsoft is not currently aware of any customer impact as a result of this criminal activity but will continue to investigate the incident and take any necessary action to help protect customers. In addition, the defaced Web site was restored to its original content within hours.
"We apologize if customers are inconvenienced by the unavailability of the affected Web site. Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to ensure the continued security of the Web site."
Ed Gibson, Microsoft's chief security adviser in the U.K., played down the impact of the security breach. "I think it's always difficult when any company suffers from an intrusion by a criminal organization," he said. "As to the question of long-standing damage--(Microsoft will not suffer), because that particular matter was cleaned up quickly.
"Criminals are always trying to steal or break into systems--it shows we can't be complacent. By all of us working as an industry to make the (ecosystem) better, we'll continue to make it better tomorrow. Unfortunately, these things happen."
Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested."
"When building commercial software for databases," he added, "there's a finite amount of time to test it. Software is never bug-free." It is understood that it was not an Oracle database that was subverted.
Tom Espiner of ZDNet UK reported from London.
See more CNET content tagged:
defacement,
SQL injection,
hacker,
SQL,
U.K.
nothing to see here.
Is this a joke? We've been working together, almost without the industry, and we've made a more secure os and web server, etc...
Linux/Solaris/BSD and apache, all the way. If you wanted to see evidence of M$'s inferior software, here it is, right on their own site, for the world to see. Naturally if they used something better than what they make their stocks would drop...
Hence the title of my post.
--typed in colemak--
If MS goes down for not being secure enough, then the attackers will find another. It will not end. A secure product is only good if it is necessary to have one. It should not be so.
If THEY can't secure their web site, what hope is there for the rest of us?
I know that in theory most sites are far less a risk than Microsoft, because they are not high-profile Microsoft.
Nevertheless, in my previous company, we were RELENTLESSLY attacked (we analysed the log files and traced many of the culprits) and were NEVER defaced or breached (we used Sun hardware, Solaris OS, proper rules on Cisco routers, and a non Microsoft software firewall).
Number of users and security is disjoint.
I've been designing and writing software for a variety of applications for about 30 years. Whenever I hear someone say that same tired line I'm immediately alerted to the likelihood that this person says that because he's written so much buggy code he can't believe it's possible not to.
NOT ALL SOFTWARE HAS BUGS!! It is not decreed in some celestial rulebook that programs, regardless of size and complexity, must contain some minimum amount of crappy, bug-invested code! That idea is the product of a mindset that also produces the kind of feeble, bug-ridden software that Microsoft has been pushing out for decades!
It has also produced the type of "quality control" for which they have become notorious. One which has relied on the customer to find, report and often fix the bugs their "engineers" would or could not.
It's nice to see that in this case at least, they are feeling the effects of their shoddy design and implementation. Perhaps that will teach them a lesson that many years of customer complaints have not.
The quote you reference was made by Oracle.
Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested."
"When building commercial software for databases," he added, "there's a finite amount of time to test it. Software is never bug-free." It is understood that it was not an Oracle database that was subverted.
Don't hold your breath!!!!!!!!!! :p
:^0 ROTFLMAO :^0 !!!!!!!!!!!!
1. Their OWN [i]software[/i] is breached.
2. They [b]outsourced[/b] their site to a THIRD PARTY.
That's what they get for shoddy workmanship on [i]their software[/i] [u]and[/u] for [b]outsourcing[/b] something they could have done themselves to begin with! ]:)
:^0 ROTFLMAO :^0 !!!!!!!!!!!!
You suppose that maybe they'll [u]LEARN[/u] from this experience? ...naw, M$ learn?...nah ...oh, well.....
Still :^0 ROTFLMAO :^0 !!!!!!!!!!!! ]:)
Oracle charges a metric as$load for their software, but for good
reason - the stuff is iron-clad.
(OTOH, I can rig a MySQL or PostgreSQL server that would be
just as reliable and secure... and MySQL seems good enough for
Google, which has a somewhat sizeable set of DB's from what I
hear).
/P
appropriate action to resolve the issue and stop any additional
criminal activity.[/i]"
So... did they install a LAMP server then? :P
Seriously - I bet the IIS or Windows hole got patched a hell of a
lot faster than it would've if it had been some ordinary
schmuck's website...
/P
Microsoft doesn't deserve *ANY* sympathy for this. There is no such thing as bug free software says Oracle, and as a software developer myself, I agree with that sentiment. But, there are differences in quality. Unlike some programmers, I actually make an attempt to test the software that I write. For quality, Oracle, Apple, *BSD, and Linux is up there in the top teir, and Microsoft is...well...I think the article speaks for itself.
After years of dropping turds on the computer industry (Vista is the latest one), it's finally coming back to bite them in the a$$.
- Microsoft is always investigating something!
-
by wbenton
July 6, 2007 9:15 AM PDT
- They investigate because they don't believe it to be so. Even if it can be prove, they still don't want to accept it until they can investigate. And their investigations take for ever.
-
Reply to this comment
-
See all 23 Comments >>SQL injection has been a problem for quite some time, thus it's nothing new. Microsoft should have already known about this but if they knew about it and they did something about it, such defacement wouldn't have happened now would it. (* GRIN *)
If Microsoft spent as much time debuging code prior to release as they spend on investigating "after the fact"... they would end up with better code, but hey... they've hardly learned anything in the past 20 years... so why expect them to learn something new now?
Walt