http://www.newsbytes.com/news/02/175442.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 25 Mar 2002, 11:49 AM CST Exploiting a widely known flaw in Microsoft's Web server software, attackers have defaced three Microsoft [NASDAQ:SFT] Web sites this month. On Sunday, a Brazilian defacement group known as Silver Lords replaced the home page of a Microsoft customer support site located at http://cust-supp-chat.one.microsoft.com with one of their own. The defaced page, which was still viewable today, included a message in Portuguese that begins "Bill Gates, my beloved and millionaire friend," and ridicules Microsoft for failing to follow the advice in its security bulletins. The other defaced sites included the Web home of Microsoft Research's Social Computing Group, and a site for an advisory group for Microsoft's Office suite. All three sites were running Microsoft's Internet Information Server (IIS) software, according to Netcraft. In an online interview today, a Silver Lords member who calls himself "Lord Choo3s" said he attacked the three sites by exploiting an unpatched flaw in an IIS component called FrontPage Server Extensions. Microsoft released a bulletin and patch for the buffer overflow flaw, which allows attackers to run code of their choice on a vulnerable server, on Jun. 21, 2001. The vandalized Microsoft support site was also briefly defaced by another attacker today. The defacer, who called himself "Analysis," posted a new message in Portuguese that read "Bill Gates, son of the devil ... go to hell." To deface the Microsoft sites, Lord Choo3s of Silver Lords, who said he was 15, relied on an exploit published by NSfocus, a computer security firm in China. Microsoft's bulletin on the FrontPage vulnerability thanks NSfocus for reporting the issue to Microsoft and working with it to protect customers. NSfocus' advisory about the FrontPage flaw included a disclaimer that reads: "This code is for test purpose only and should not be run against any host without permission from the system administrator." Among the pages hosted at the cust-supp-chat.one.microsoft.com server is one for unsubscribing from MSN Newsletters. Another page assists users of Microsoft's Passport service who have forgotten their passwords. A Microsoft representative said the company is "vigilant in our efforts to ensure the security of our network," but added that Microsoft does not discuss or comment on specific attempts or claims of intrusion. A mirror of the defaced Microsoft support site is at http://www.zone-h.org/defaced/2002/03/24/cust-supp-chat.one.microsoft.com SecurityFocus' description of the FrontPage vulnerability is at http://online.securityfocus.com/bid/2906 - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:10:19 PST