Microsoft Sites Suffer Defacement

Microsoft suffered another Web site defacement yesterday—this time at streamer.microsoft.com. A group calling itself Prime Suspectz replaced the site's home page with a message that read, "Microsoft Owned. Where is the security?" The same group claimed responsibility for defacing the Microsoft Mexico, Saudi Arabia, and United Kingdom sites last Wednesday. No information is known as to how the defacements occurred; however, results of a scan of the four defaced systems using the Nmap tool and posted at the Alldas.de Web site revealed that each system was probably running Windows 2000, and thus Internet Information Server (IIS) 5.0.

On May 1, eEye Digital Security released details of a serious vulnerability in IIS 5.0. The company worked with Microsoft so that Microsoft could produce a patch before eEye released the details of the vulnerability to the public. The vulnerability relates to an unchecked buffer in the Internet Server API (ISAPI) .printer extension for IIS, and the problem is serious enough that an intruder can place and run code on an IIS-based system with system-level privileges.

Coinciding with eEye’s announcement, Microsoft released a security bulletin that announced patch availability and provided details about the reported problem. However, in light of the most recent attacks, Microsoft apparently hasn't tightened security across its enterprise.

Marc Maiffret, chief hacking officer for eEye, told Windows 2000 Magazine that he was surprised to learn that several of Microsoft's sites had been defaced. Maiffret said that ever since a person using the alias "dark spyrit" released working source code that exploits the IIS 5.0 flaw, the number of IIS-based site defacements has increased, as seen in site defacement archives such as those hosted by Attrition.org. "Unfortunately, many companies won't learn about this problem until after their site gets hacked," said Maiffret. "Lots of big name companies out there aren't paying close enough attention to security."

According to Microsoft, you must either remove the .printer extension from an IIS server or apply the patch to eliminate the IIS 5.0 vulnerability. Microsoft offers details of how to remove the extension mapping in its IIS 5.0 Security Checklist. The patch is available on the company’s Web site.