Hackers brandish their virtual spray cans...

[BGonaSTICK]

Details have emerged of an attack which defaced Microsoft's UK website.

Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.

It is likely that Microsoft.co.uk, which was breached last Wednesday, was subverted using SQL injection, according to security website Zone-H, which has also run a picture of the defacement. "Most probably, the attacker exploited the site by means of SQL injection to insert HTML code in a field belonging to the table which gets read every time a new page is generated," said Zone-H on its site.

Microsoft said it is investigating the breach. It said in a statement: "Microsoft has learned of a criminal attempt to deface a sub-site of Microsoft.com. Upon notification of the criminal activity, Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity.

"Microsoft is not currently aware of any customer impact as a result of this criminal activity but will continue to investigate the incident and take any necessary action to help protect customers. In addition, the defaced website was restored to its original content within hours.

"We apologise if customers are inconvenienced by the unavailability of the affected website. Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to ensure the continued security of the website."

Ed Gibson, Microsoft UK's chief security advisor, played down the impact of the security breach. "I think it's always difficult when any company suffers from an intrusion by a criminal organisation," he said. "As to the question of long-standing damage - Microsoft will not suffer, because that particular matter was cleaned up quickly.

"Criminals are always trying to steal or break into systems - it shows we can't be complacent. By all of us working as an industry to make the ecosystem better, we'll continue to make it better tomorrow. Unfortunately these things happen."

Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested".

He added: "When building commercial software for databases, there's a finite amount of time to test it - software is never bug-free." It is understood that it was not an Oracle database that was subverted.

[BGonaSTICK]

Quote:

Originally Posted by BGonaSTICK

Patrick McLaughlin, the European director of security solutions at database company Oracle, said "software can never be fully tested".

He added: "When building commercial software for databases, there's a finite amount of time to test it - software is never bug-free."

What he means to say is that it's not economically viable to fully test modern-day bloatware, so they'll let their customers do it for them.

If the software houses are going to turn out untested software, at least be honest about it.

When software is compact and functional, it's perfectly feasible to test it fully. The black art of testing has been lost to the commercial world for several years now. It's a casualty of rapid development and market pressure.

The more lines of code you have running, the more likely there are to be errors and the more testing you should do.