I'n Blog 之萬象真藏

Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.

It is likely that the company's U.K. site, which was breached on Wednesday, was subverted using an SQL injection, in which hackers exploit application vulerabilities to alter server settings or mine data, according to Zone-H, which has also run a picture of the defacement.

"Most probably, the attacker exploited the site by means of SQL injection to insert HTML code in a field belonging to the table which gets read every time a new page is generated," Zone-H said on its site.

Microsoft said it is investigating the breach. "Microsoft has learned of a criminal attempt to deface a subsite of Microsoft.com," the company said in a statement. "Upon notification of the criminal activity, Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity.

"Microsoft is not currently aware of any customer impact as a result of this criminal activity but will continue to investigate the incident and take any necessary action to help protect customers. In addition, the defaced Web site was restored to its original content within hours.

"We apologize if customers are inconvenienced by the unavailability of the affected Web site. Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to ensure the continued security of the Web site."

Ed Gibson, Microsoft's chief security adviser in the U.K., played down the impact of the security breach. "I think it's always difficult when any company suffers from an intrusion by a criminal organization," he said. "As to the question of long-standing damage--(Microsoft will not suffer), because that particular matter was cleaned up quickly.

"Criminals are always trying to steal or break into systems--it shows we can't be complacent. By all of us working as an industry to make the (ecosystem) better, we'll continue to make it better tomorrow. Unfortunately, these things happen."

Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested."

"When building commercial software for databases," he added, "there's a finite amount of time to test it. Software is never bug-free." It is understood that it was not an Oracle database that was subverted.

Tom Espiner of ZDNet UK reported from London.

發佈時間：2007.07.05 09:23     來源：賽迪網    作者：ksanaka

product.ccidnet.com/art/6563/20070704/1134677_1.html

北京時間7月4日，據國外媒體最新報導，英國網絡安全公司Zone-H披露了微軟英國網站被黑客塗改的細節，黑客們攻破了網站的安全系統，然後對網頁進行了塗改，網頁內容變成了一位小男孩手拿沙特阿拉伯國旗。

據Zone-H公司透露，微軟英國網站遭到攻擊是在星期三，這個網站被人使用了一種SQL植入，在這種黑客技術中，黑客們利用應用程序中的漏洞來修改服務設置或者偷取數據。Zone-H公司已經截取了一幅網頁遭塗改的照片。

Zone-H公司在其網站上表示：「最有可能的就是，黑客利用SQL植入技術在屬於網頁的網站中加入了HTML編碼，這樣網站的網頁每次都會產生一幅新圖片。黑客經常會利用這種技術來攻擊網站。

目 前微軟公司表示，公司正在對這次破壞事件進行調查。微軟在一份聲明中表示：「微軟已經得知許多網絡犯罪者都試圖塗改微軟公司旗下的網站。微軟一發現這些犯 罪行為，公司將會採取適當的行動來解決問題，同時會防止再次發生類似的事情。微軟公司現在還沒有發現這次攻擊對我們客戶是否造成了什麼影響，但是我們將會 繼續調查這次事件，並採取任何必要行動來幫助保護客戶。另外，被塗改的網頁已經在數小時之內恢復正常。」

微軟公司還表示：「如果這次網站攻擊事件對客戶產生了什麼不良影響，我們在這裡表示道歉。微軟承諾一定會設法保護我們的客戶，同時我們還會密切同第三方服務器公司合作來確保這個網站的持續安全。」

微軟英國公司首席安全顧問愛德華·吉卜森對於這次安全破壞事件的影響並不在意。吉卜森表示：「我認為，當任何公司遇到犯罪組織的入侵時，對於這些公司來說都很難防範。對於長期破壞影響的問題，(微軟將不會受到長期影響)，因為特殊事件已經得到了迅速的處理。」

吉卜森還表示：「網絡罪犯一直試圖潛入或入侵系統，有時我們防不勝防。對於我們來說，我們是一個努力改善(互聯網環境)的領域，我們未來將會繼續改善互聯網環境。很不幸，這些事件總會發生。」

甲骨文公司歐洲安全解決方案部門主任帕特裡克·邁克勞林表示：「軟件永遠都無法得到完全的測試。」他還補充說：「當我們為數據庫開發商業軟件時，測試軟件的時間是有限的。軟件不可能不存在錯誤。」同時他還透露，這次受到入侵的數據庫並不是甲骨文數據庫。

(責任編輯：封小明)