Advertisement
Promo

Security threats Toolkit

Details emerge of Microsoft website hack

Tom Espiner ZDNet.co.uk

Published: 02 Jul 2007 17:52 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Details have emerged of an attack which defaced Microsoft's UK website.

Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.

It is likely that Microsoft.co.uk, which was breached on Wednesday, was subverted using SQL injection, according to security site Zone-H, which has also run a picture of the defacement. "Most probably, the attacker exploited the site by means of SQL injection to insert HTML code in a field belonging to the table which gets read every time a new page is generated," said Zone-H on its site.

Microsoft said it was investigating the breach. "Microsoft has learned of a criminal attempt to deface a sub-site of Microsoft.com," the software giant said in a statement. "Upon notification of the criminal activity, Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity. Microsoft is not currently aware of any customer impact as a result of this criminal activity but will continue to investigate the incident and take any necessary action to help protect customers. In addition, the defaced website was restored to its original content within hours."

Read this

Watch Debbie wrestle the Kraken

ZDNet UK member Xwindowsjunkie is pitting the next Windows Home Server against a homemade alternative built from open-source components. So how's it going?

Read the discussion+

"We apologise if customers are inconvenienced by the unavailability of the affected website. Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to ensure the continued security of the website."

Ed Gibson, Microsoft UK's chief security advisor, played down the impact of the security breach. "I think it's always difficult when any company suffers from an intrusion by a criminal organisation," said Gibson. "As to the question of long-standing damage — [Microsoft will not suffer], because that particular matter was cleaned up quickly. Criminals are always trying to steal or break into systems — it shows we can't be complacent. By all of us working as an industry to make the [ecosystem] better, we'll continue to make it better tomorrow. Unfortunately these things happen."

Patrick McLaughlin, the European director of security solutions at database company Oracle, said that "software can never be fully tested".

"When building commercial software for databases, there's a finite amount of time to test it — software is never bug-free," said McLaughlin. It is understood that it was not an Oracle database that was subverted.

Gibson and McLaughlin spoke to ZDNet UK at an event organised by RSA Conference Europe.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
7 out of 9 people found this useful



Company/Topic Alerts

Create a new alert from the list below:





Video icon

Video

Sentry Posts Blog

Met will not reopen phone hack investi...

The Metropolitan Police will not reopen its investigation into alleged phone hacking by the News of the World. In a press statement delivered outside Scotland Yard on Thursday, Assistant... More

Post a comment

FUD over ChromeOS's security already?

It hasn't taken long for the security vendors to wake to the potential of Google's new ChromeOS. The potential that is, to create FUD – fear uncertainty and doubt. In a release today,... More

Post a comment

Feds take DDoS in their stride

The US Department of Homeland Security has said that a series of distributed denial-of-service attacks began on US government networks on 4 July. However, Amy Kudwa, deputy press... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters