Microsoft plays down second hack attack

Microsoft's internal network has been broken into for the second time in as many weeks by a hacker who exploited the fact that the software giant had not applied its own security patches.

Dimitri, the Dutch hacker involved in the attack, claims to have broken into Microsoft's web servers by exploiting a known vulnerability with Internet Information Server (IIS).

The attack came days after Microsoft's internal network was broken into in a separate attack, believed to have been performed using the QAZ Trojan.

During the latest attack, Dimitri said he was able to upload a text file called 'hack the planet', boasting of his break-in, on to events.microsoft.com, and that he had access to several other web servers.

Dimitri claimed this would have allowed him to alter files or even place Trojans on Microsoft's site, but he said he stopped short of exploiting this for ethical reasons.

A Microsoft spokeswoman refuted this claim and said only one server, which was not hosting active content, had been compromised.

"This was a security issue with one of our servers which had recently been retired and was not hosting active content. It was just redirecting traffic," she said.

The server in question has been updated with the relevant security patch, and the spokeswoman said she is confident that no further damage to Microsoft's systems has occurred.

The latest attack was performed by exploiting the Unicode bug to IIS, a fix for which was first developed by Microsoft in August. Subsequent to this, and after realising that the vulnerability was more serious than first suspected, the software giant issued a fresh alert on 17 October, which designated the patch as a critical update.

Last week security firm ISS reported the "widespread exploitation" of the Unicode bug, which it said allows remote attackers to list directory contents, view files, delete files and execute arbitrary commands. This is possible because the bug allows attackers to use the Unicode character set to craft a web address that access resources via IIS that would normally be inaccessible.

Paul Rogers, network security analyst at MIS Corporate Defence Solutions, said it is difficult for Microsoft to justify not applying its own security patches, and that the failure suggests a "lax" attitude to security by the software giant.

The Microsoft spokeswoman defended its approach to security and said as a leading IT company it is an expert in the field.

Asked to square this with recent high-profile attacks, she said: "If hackers are really determined to get into systems, they can always find a way."