January 05, 2001, 2:53 PM — One week after Microsoft Corp. disclosed that an intruder had broken into its computer network, the software vendor last Friday confirmed claims by another hacker who said he had managed to penetrate at least one of the company's Web servers.
The Dutch hacker, who uses the alias "Dimitri," said in an interview that Microsoft had failed to install a patch for a known security hole in its Internet Information Server (IIS) software, leaving at least some of its Web servers vulnerable to attack. "It is extremely sloppy for Microsoft not to install its own patches," Dimitri added.
Microsoft last month contacted IIS users and "strongly" urged them to install the patch in order to plug the hole exploited by Dimitri, which lets attackers read and execute files on unprotected Web servers. But a Microsoft spokesman said it's "hard to give an absolute certainty that the patch had been applied across the board" by the software vendor itself.
Dimitri claimed that he gained access to several of Microsoft's Web servers and was able to upload a short text file detailing the attack to a system that had been used to provide information about upcoming Microsoft events. The hacker also said he had the ability to alter files on the download portion of Microsoft's Web site.
In addition, Dimitri said he downloaded encrypted files containing administrative user names and passwords to Microsoft's Web server. The files could be decoded, he said. But he added that he had not decoded them and doesn't plan to do so.
Microsoft spokesman Adam Sohn confirmed that the hacker reached at least one Web server, and he said the company's information security personnel were in the process of rechecking its other systems to see if any remaining holes need to be patched.
"We investigated this report," Sohn said. "[Dimitri] was able to exploit a known security flaw that we were able to patch. The patch had not yet been applied to the server." Sohn added that he couldn't confirm that all of Microsoft's Web servers have now been updated with the patch.
The server known to be affected was in semiretirement and currently is used only to redirect users to another part of Microsoft's Web site that has more up-to-date content, Sohn said. "Before, it hosted events content," he noted. "[But] it had recently been retired from its former uses. It wasn't really hosting any content at all."
Microsoft is "very focused on securing and maintaining the servers on our network," Sohn said. "From a security standpoint, there should be no difference between servers. Would we prefer that our [internal security] people put patches in on the same day they come out? Sure."