The patch that plugs the IIS hole exploited by Dimitri was originally issued by Microsoft in August to fix a less-serious security flaw in the Web server software. Microsoft last month discovered that the patch would also take care of the newly discovered -- and potentially more damaging -- hole, which the company refers to as a "Weeb server folder traversal" vulnerability.
Sohn said the intrusion by Dimitri was unrelated to the attack that Microsoft reported to the FBI on Oct. 26. In that case, malicious hackers were able to view source code being developed for an unidentified future product by using an attack program hidden in e-mail. The two incidents "had nothing to do with each other," said Rick Miller, another Microsoft spokesman. "It's like comparing apples and oranges."
However, the disclosure of two hacks in little more than a week is raising questions about the extent of the security weaknesses in Microsoft's network. Security experts who have been able to confirm the intrusion through access logs provided by Dimitri said Microsoft must tighten its defenses.
"They shouldn't be vulnerable to this," said Ryan Russell, technical editor of the SecurityFocus.com Web site. "If they had anything interesting on the server, he could have gotten into it."
Dimitri "didn't have to be a rocket scientist" to get into Microsoft's server using a known security bug, added Paul Zimski, a security researcher at Internet security firm Finjan Software Inc. in San Jose.
Sohn conceded that the size of Microsoft's network -- and the allure to hackers of breaching the company's security -- make defending its systems an ongoing challenge. "Microsoft is a high-priority target," he said. "There is always a possibility that hackers can get into any network. There are bad people out there that will try to do bad things."