A previously unreported vulnerability in the company's Web software allowed an attacker to gain control of a publicly accessible Defense Department computer, the military confirms.
Contrary to previous media reports, the U.S. Army said the server--or servers--that had been compromised weren't the responsibility of that arm of the military. However, representatives of the armed forces didn't elaborate on which part of the services operated the computer.
"The military sites that were attacked did not belong to the Army," said Col. Ted Dmuchowski, director of information assurance for the U.S. Army's Network Technology Enterprise Command (NTEC), who underscored that the Army took such threats seriously. "For security reasons...we don't discuss what specific measures we take under these circumstances."
Microsoft learned of the flaw a week ago when a customer sent an e-mail to the company's security contact point, firstname.lastname@example.org, said Iain Mulholland, security program manager for Microsoft's security response team. Mulholland would not confirm whether the U.S. Army, or another branch of the military, was the customer in question.
"We recognized this as an issue and asked if anyone else is seeing this," he said. "If the issue was widespread, our support teams would hear about it. But our support queries were silent, so we thought the best thing to do was to work on the patch."
While Microsoft could have released a workaround last Wednesday, Mulholland said that the lack of any other incidents combined with the fact that the compromise of the unnamed customer was being investigated by federal law enforcement authorities convinced the software giant to wait until it had a full patch prepared.
The vulnerability--in Microsoft's Internet Information Server 5.0 and Windows 2000--took the software giant's security group by surprise because a security researcher had not found the problem. Normally, a security researcher or hacker who finds a vulnerability will announce the details publicly or to the software's creator.
The worst-case scenario for the discovery of software problems are flaws that are found by Internet vandals and used before software makers can respond. Such flaws are known as zero-day vulnerabilities.
Dmuchowski dismissed the perception that the element of surprise makes a vulnerability any more serious.
"The zero-day exploit, although dramatic for news headlines, is not a first," he said. "Hackers find vulnerabilities before vendors know about them all the time. In fact, that is where some vendors first find out about their vulnerabilities."
NTBugTraq: Attack not serious
Russ Cooper, moderator of the NTBugTraq security list, which is owned by security services firm TruSecure, agreed that attack wasn't a serious one, even accounting for the fact that a previously unknown flaw had been exploited.
"If you are a nation-state trying to use a zero-day, that is a very valuable commodity," he said. "You want to get as much utility out of it as you can. So (if the compromise were serious) I would have expected to see attacks against other computers at the Pentagon as well."
Cooper had been the source for media reports that classified the compromised server as an Army computer. Originally, a representative from the Army had contacted him to help get a security report through to Microsoft, he said.
A file that had been left on the server had referred to the attack as "Unicorn Beachhead." A brief analysis by Cooper suggested that unicorn referred to a component of the WebDAV software in which the vulnerability had been found. The reference to "beachhead," and the fact that the attacker had been mapping the network connected to the Web server, suggests that the server was to be a staging ground for further attacks on the military, said Cooper.
Neither Microsoft nor military representatives would confirm or deny any of the details provided by Cooper, except to refute his assertion that the server had belonged to the U.S. Army. Cooper on Wednesday acknowledged that the server may actually belong to a different branch of the military.
Patrick Swan, a spokesperson for the U.S. Army's chief information officer, who was quoted in one media report confirming that the server belonged to the Army, said that there was some initial confusion over who had jurisdiction over the server.
"At first blush they thought it was an Army server," he said. "Now all we can say is that it was a military server."