Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Microsoft Security

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com) 48

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
This discussion has been archived. No new comments can be posted.

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013

Comments Filter:
  • by Anonymous Coward
    Regardless of whether Microsoft fixed the flaws or not, there are still millions of old computers out there with important information that do important things that have not been / will not ever be patched.
  • >> database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system

    Closed OS FTW. On second thought, TFA says "including Windows", so was Microsoft hanging onto zero-days for other companies?
    • >so was Microsoft hanging onto zero-days for other companies?

      Microsoft sells more than just an OS.

      • by Anonymous Coward

        You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so mu

        • You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!

          1. systemd is an abomination that should be removed entirely. Glad there's distros like Devuan focused on keeping options open; and Gentoo driving OpenRC development (which started at Gentoo!).

          2. I stopped using Windows regularly in 2009 once I was able to switch my work devices over to Linux, save a VM to do deliverable compilations on occasion for a couple years. However, I still get introduced to the changes going on - via co-workers, friends, and family. That said, the basics of Windows haven't chang

    • Apparently this was part of their to-do list. The moment the # of vulnerabilities exceeded 1,000,000 the list lost meaning and got abandoned.

    • I'm guessing that they are talking about other MS software such as Office and other MS produced software other than Windows OS...
  • They really kept this database on an internet-facing PC?

    • >> database on an internet-facing PC

      I doubt it. From TFA: "exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks"

      So...they probably established a CnC beachhead inside the network, let that dial out to their proxied CnC server, and then went into the company's internal network over that connection. In other words, they could have pulled this off without any Internet-facing resources. In fact, they only needed o
    • They really kept this database on an internet-facing PC?

      Not necessary to be internet facing.. Just internet connected... However, still, why on earth allow that? Air gapped security would be recommended in cases like this I think.

  • by Mal-2 ( 675116 ) on Tuesday October 17, 2017 @10:51AM (#55383245) Homepage Journal

    What exactly were they supposed to do? Disclosing this publicly wouldn't have gotten the 0-days closed any faster but would have started malicious actors scrambling to get their hands on that database. Some already had it -- publicly admit it exists and has been exfiltrated, and anyone with even a passing interest is going to want it.

    Now if it had been a database of someone else's 0-days, then they could be expected to at least tell the vendors of the products in question. But when they are the vendor? It's an internal problem.

  • Okay, one can can argue that telling means people will hack. but in my experience, the hacking community finds out anyway, and then the public isn't even given a chance to defend themselves. Perhaps MS thought it was cute to leave a backdoor, say, for the NSA, but as long as the customers are paying their salaries they have an ethical obligation to inform the customers so they can take actions to protect themselves. This is why closed source software cannot be trusted and is in fact less secure: people can
  • Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world.

    They literally would not.

EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER

Working...