[ISN] FrontPage Bug Opens Microsoft Sites To Attackers

From: InfoSec News (isnat_private)
Date: Tue Mar 26 2002 - 00:34:54 PST

  • Next message: InfoSec News: "[ISN] Wiretapping Requests Rise Sharply in 2001"

    By Brian McWilliams, Newsbytes
    25 Mar 2002, 11:49 AM CST
    Exploiting a widely known flaw in Microsoft's Web server software,
    attackers have defaced three Microsoft [NASDAQ:SFT] Web sites this
    On Sunday, a Brazilian defacement group known as Silver Lords replaced
    the home page of a Microsoft customer support site located at
    http://cust-supp-chat.one.microsoft.com with one of their own.
    The defaced page, which was still viewable today, included a message
    in Portuguese that begins "Bill Gates, my beloved and millionaire
    friend," and ridicules Microsoft for failing to follow the advice in
    its security bulletins.
    The other defaced sites included the Web home of Microsoft Research's
    Social Computing Group, and a site for an advisory group for
    Microsoft's Office suite. All three sites were running Microsoft's
    Internet Information Server (IIS) software, according to Netcraft.
    In an online interview today, a Silver Lords member who calls himself
    "Lord Choo3s" said he attacked the three sites by exploiting an
    unpatched flaw in an IIS component called FrontPage Server Extensions.
    Microsoft released a bulletin and patch for the buffer overflow flaw,
    which allows attackers to run code of their choice on a vulnerable
    server, on Jun. 21, 2001.
    The vandalized Microsoft support site was also briefly defaced by
    another attacker today. The defacer, who called himself "Analysis,"  
    posted a new message in Portuguese that read "Bill Gates, son of the
    devil ... go to hell."
    To deface the Microsoft sites, Lord Choo3s of Silver Lords, who said
    he was 15, relied on an exploit published by NSfocus, a computer
    security firm in China.
    Microsoft's bulletin on the FrontPage vulnerability thanks NSfocus for
    reporting the issue to Microsoft and working with it to protect
    NSfocus' advisory about the FrontPage flaw included a disclaimer that
    reads: "This code is for test purpose only and should not be run
    against any host without permission from the system administrator."
    Among the pages hosted at the cust-supp-chat.one.microsoft.com server
    is one for unsubscribing from MSN Newsletters. Another page assists
    users of Microsoft's Passport service who have forgotten their
    A Microsoft representative said the company is "vigilant in our
    efforts to ensure the security of our network," but added that
    Microsoft does not discuss or comment on specific attempts or claims
    of intrusion.
    A mirror of the defaced Microsoft support site is at
    SecurityFocus' description of the FrontPage vulnerability is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:10:19 PST