Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

FrontPage Bug Opens Microsoft Sites To Attackers

From: InfoSec News <isn () c4i org>
Date: Tue, 26 Mar 2002 02:34:54 -0600 (CST)
http://www.newsbytes.com/news/02/175442.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
25 Mar 2002, 11:49 AM CST
 
Exploiting a widely known flaw in Microsoft's Web server software,
attackers have defaced three Microsoft [NASDAQ:SFT] Web sites this
month.

On Sunday, a Brazilian defacement group known as Silver Lords replaced
the home page of a Microsoft customer support site located at
http://cust-supp-chat.one.microsoft.com with one of their own.
 
The defaced page, which was still viewable today, included a message
in Portuguese that begins "Bill Gates, my beloved and millionaire
friend," and ridicules Microsoft for failing to follow the advice in
its security bulletins.

The other defaced sites included the Web home of Microsoft Research's
Social Computing Group, and a site for an advisory group for
Microsoft's Office suite. All three sites were running Microsoft's
Internet Information Server (IIS) software, according to Netcraft.

In an online interview today, a Silver Lords member who calls himself
"Lord Choo3s" said he attacked the three sites by exploiting an
unpatched flaw in an IIS component called FrontPage Server Extensions.

Microsoft released a bulletin and patch for the buffer overflow flaw,
which allows attackers to run code of their choice on a vulnerable
server, on Jun. 21, 2001.

The vandalized Microsoft support site was also briefly defaced by
another attacker today. The defacer, who called himself "Analysis,"  
posted a new message in Portuguese that read "Bill Gates, son of the
devil ... go to hell."

To deface the Microsoft sites, Lord Choo3s of Silver Lords, who said
he was 15, relied on an exploit published by NSfocus, a computer
security firm in China.

Microsoft's bulletin on the FrontPage vulnerability thanks NSfocus for
reporting the issue to Microsoft and working with it to protect
customers.

NSfocus' advisory about the FrontPage flaw included a disclaimer that
reads: "This code is for test purpose only and should not be run
against any host without permission from the system administrator."

Among the pages hosted at the cust-supp-chat.one.microsoft.com server
is one for unsubscribing from MSN Newsletters. Another page assists
users of Microsoft's Passport service who have forgotten their
passwords.

A Microsoft representative said the company is "vigilant in our
efforts to ensure the security of our network," but added that
Microsoft does not discuss or comment on specific attempts or claims
of intrusion.

A mirror of the defaced Microsoft support site is at
http://www.zone-h.org/defaced/2002/03/24/cust-supp-chat.one.microsoft.com

SecurityFocus' description of the FrontPage vulnerability is at
http://online.securityfocus.com/bid/2906



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: