Print this article | E-mail this article | Comment on this article

Microsoft UK Web Site Hacked via SQL Flaw

By Ed Oswald, BetaNews

July 3, 2007, 2:47 PM

More details are now available on the hacking of the Microsoft UK Web site, with experts saying that the attackers got in through a SQL injection exploiting a vulnerability in the Web server software.

The attack, which occurred last Wednesday, defaced the front page of the Web site and inserted the image of a child waving the flag of Saudi Arabia. According to Zone-H.org, a hacking news Web site, the attacker used the SQL flaw to inject his own HTML code.

Microsoft has not confirmed how the attackers entered the site, saying only that it was investigating and had removed the injected code to return the page to normal. It also took action to ;stop any additional criminal activity."

It also said it was in contact with the third party which hosts the UK Web site to improve the security and prevent similar attacks from occurring. It is not known whether the database that was hacked was Microsoft's, although Zone-H speculated that it was MS SQL Server.

Microsoft's security chief in the UK played down the incident in an interview with ZDNet UK. ""Criminals are always trying to steal or break into systems--it shows we can't be complacent," Ed Gibson said. "Unfortunately, these things happen."

Add a Comment (14 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By spartacus2

edited Jul 10, 2007 - 1:09 PM

No doubt the clever person who invaded the MS UK Web Site will be offered employment for their fine efforts and then they'll all live incestuosly "happily ever after".

Score: 0

By sandeepreddy

edited Jul 6, 2007 - 5:23 AM

Yeah, I'm sure that's how these things are happend--This is an indication of poor programming and security levels.

Score: 0

By Natrunner

posted Jul 4, 2007 - 6:22 AM

As always, the OS that is on a majority of servers or home users PC's is under attack constantly. If Mac OS or Linux were a majority on servers or home PC's they would be under constant attack also.

Score: 0

By foxfyre

posted Jul 4, 2007 - 7:55 PM

What a completely wacko statement indicative of someone who understands neither OS design nor SQL injection.

This is an indication of poor programming and security practices.

SQL injection is a fundamental attack and one of the most simple to harden a system against.

Score: 0

By bourgeoisdude

posted Jul 5, 2007 - 4:30 PM

"SQL injection is a fundamental attack and one of the most simple to harden a system against."

Really? Then why are there so many patches to fix SQL vulnerabilities in *nix OSes as well as Microsoft's?

"It also said it was in contact with the third party which hosts the UK Web site to improve the security and prevent similar attacks from occurring. It is not known whether the database that was hacked was Microsoft's, although Zone-H speculated that it was MS SQL Server."

Figured that...MS may not have impenetrable servers here in the states, but they definately have enough oversight to notice little things before they get through...they'd of shut out the user's ip address from accessing it before they could have changed the site had it been on Microsoft's servers here in the states...IMO, anyway.

Score: 0

By HyTeK

edited Jul 4, 2007 - 12:26 PM

So the majority of internet web "SERVERS" run LAMP (Linux, Apache, MySQL, PHP), and have a lower number of security incidents then WIMPA (Windows, IIS, MSSQL, PHP, ASP) has no bearing on this?

Yes LAMP servers do get hacked, yes the majority of internet facing web servers are LAMP servers, and yes LAMP servers get hacked "less" then a WIMPA server despite having a larger install base.

Windows is on the majority of home computers, but this topic isn't about home computers.

Score: 0

By xyzcb1

posted Jul 5, 2007 - 11:44 AM

Dude, LAMP WON'T make headline. Only time when they make headline is when someone company like DELL or HP start including them with their system.

I don't remember when was the last time I read something about LAMP without a big next on the same sentence.

Score: 0

By c4p0ne

posted Jul 3, 2007 - 5:46 PM

IIS.. hahahaha... whew. .. .. .

IIS.. ohh hahahah ha.. ha ha.. oh boy.. wheew..

IIS.. oh ohh hahahahaha ...whoo hooo hoo. ahhh.

Man no matter how many times I hear that joke, it always makes me laugh.

Score: 0

By uberfly

posted Jul 4, 2007 - 2:36 AM

Moral of the story:

Smoke less pot, and keep up on your server security (regardless of what platforms you use).

Score: 0

By yohimbe9

posted Jul 3, 2007 - 3:41 PM

I hate when people call these SQL flaws. This is just simple SQL injection caused by people not validating input correctly. If you shoot yourself in the foot its not a flaw in the gun or your shoe, its actually the user of the gun.

Score: 0

By templar™

posted Jul 4, 2007 - 2:33 AM

Well said. Yet because it's MS site, people start to blame IIS & SQL Server.

Having said that, MS should have conducted thorough penetration testing across all its websites. Otherwise people will never take them seriously.

Score: 0

By bourgeoisdude

edited Jul 5, 2007 - 4:34 PM

Apparently it wasn't Microsoft's direct oversight--remember these servers are hosted by a third party company?

Microsoft.com's servers here in the US used to run off of conxion.com, but they haven't been hacked--at least not that I recall--since they were directly hosted by Microsoft themselves.

Score: 0

By Scotch Moose

posted Jul 3, 2007 - 3:31 PM

"Unfortunately, these things happen." ... to sites that run IIS or use weak passwords.

Score: 0

By bourgeoisdude

posted Jul 5, 2007 - 4:36 PM

Yeah, I'm sure that's how it was hacked--Microsoft always uses simple passwords because they only employ ignorant morons for security-- hence their insignificant market share (/end sarcasm)

Score: 0

Dec 5 - 1:45 AM ET Shazam: eight million songs of the eternal Now

Dec 4 - 7:30 PM ET Comcast to offer bandwidth consumption monitor

Dec 4 - 5:37 PM ET Counterfeiters sing the 'Blue' as Microsoft lawyers up

Dec 4 - 4:40 PM ET Opera 10 alpha shows off new Presto rendering engine

Dec 4 - 2:29 PM ET Apple: Psystar clone-maker is working with unnamed collaborators

Dec 4 - 2:21 PM ET Windows Live rollout sketchy, team apologizes

Dec 4 - 2:20 PM ET Stinging from a revenue shortfall, Adobe to shed workers

Dec 4 - 11:47 AM ET The storm hits AT&T, with a five-digit headcount reduction

Dec 4 - 11:42 AM ET TV sports adopts Web coverage, plays with iPhones

Dec 4 - 11:24 AM ET Microsoft seeks 'community' help to make IE8 Standards Mode work out