Microsoft flaw leads to military hack

A previously unknown vulnerability in Microsoft's web software allowed an online attacker to take control of a publicly accessible US Department of Defense server last week, the military confirmed late on Tuesday.

Contrary to previous media reports, the US Army said the server - or servers - that had been compromised weren't the responsibility of that arm of the military. However, representatives of the armed forces didn't elaborate on which part of the services operates the computer.

"The military sites that were attacked did not belong to the Army," said Col. Ted Dmuchowski, director of information assurance for the US Army's Network Technology Enterprise Command (NTEC), who underscored that the Army took such threats seriously. "For security reasons... we don't discuss what specific measures we take under these circumstances."

Microsoft learned of the flaw a week ago when a customer sent an email to the company's security contact point, secure@microsoft.com, said Iain Mulholland, security programme manager for Microsoft's security response team. Mulholland would not confirm whether the US Army, or another branch of the military, was the customer in question.

"We recognised this as an issue and asked if anyone else is seeing this," he said. "If the issue was widespread, our support teams would hear about it. But our support queries were silent, so we thought the best thing to do was to work on the patch."

While Microsoft could have released a workaround last Wednesday, Mulholland said that the lack of any other incidents combined with the fact that the compromise of the unnamed customer was being investigated by federal law enforcement authorities convinced the software giant to wait until it had a full patch prepared.

The vulnerability - in Microsoft's Internet Information Server 5.0 and Windows 2000 - took the software giant's security group by surprise because a security researcher had not found the problem. Normally, a security researcher or hacker who finds a vulnerability will announce the details publicly or to the software's creator.

The worst-case scenario for the discovery of software problems are flaws that are found by internet vandals and used before software makers can respond. Such flaws are known as zero-day vulnerabilities.

Dmuchowski dismissed the perception that the element of surprise makes a vulnerability any more serious.

"The zero-day exploit, although dramatic for news headlines, is not a first," he said. "Hackers find vulnerabilities before vendors know about them all the time. In fact, that is where some vendors first find out about their vulnerabilities."

Patrick Swan, a spokesperson for the US Army's chief information officer, who was quoted in one media report confirming that the affected server belonged to the Army, said that there was some initial confusion over who had jurisdiction over the server.

"At first blush they thought it was an Army server," he said. "Now all we can say is that it was a military server."

Robert Lemos writes for CNET News.com.