Microsoft Kept Quiet About 2013 Bug Database Hack

Allan Goodman
October 18, 2017

While Microsoft failed to disclose the breach and had reportedly fixed the flaws "within months of the attack", three of the ex-employees interviewed by Reuters said that the stolen bugs may have been used in attacks following the breach. When the company concluded it was possible the subsequent hacks could have been the result of information stolen elsewhere, the company decided not to disclose the extent of the breach.

Modern security teams research flaws in all kinds of software, not just the software built and maintained by their corporations. But Microsoft did increase security after the attack.

One of the former employees isn't convinced Microsoft did its due diligence.

A cyber-attack by a notorious hacking group back in 2013 compromised highly sensitive information on unfixed Microsoft vulnerabilities, data which could have been used to devastating effect, it has emerged.

"An equivalent scenario with conventional weapons would be the USA military having some of its Tomahawk missiles stolen", Brad Smith, Microsoft's president and chief legal officer said at the time. It declined to comment in the original report.

They determined that while those bugs had in fact been used to carry out attacks, the hackers involved could have learned of the vulnerabilities from elsewhere - there was no evidence linking the other attacks to the Microsoft breach. Many firms, including Microsoft, pay security researchers and hackers bounties for information about flaws - increasing the flow of bug data and rendering efforts to secure the material more urgent than ever.

Even worse for the tech giant, the database containing details of as-yet-unpatched bugs was allegedly poorly protected by "little more than a password".

Israeli jets destroy anti-aircraft missile launcher in Syria
The SA5 surface-to-air missile was launched at the Israeli military fighters from an anti-aircraft battery but missed its target. A US-led coalition backs some of the militia groups that want to overthrow Assad, including SDF and Free Syrian Army.

Microsoft found no evidence that the information in the database had been used in an attack, which two employees said was probably the case, Reuters reported.

The five ex-employees and USA officials who were told of the breach said that, at the time, there were fears that the stolen data could have been used to create attack tools.

The attack was particularly troublesome, not simply because the details were not publicly disclosed but because the hackers who carried out the breach were in possession of information about vulnerabilities that plagued millions of machines around the world.

The possibility could not be ruled out, however, as Microsoft relied on automated reports from crashes to track attacks, according to Reuters.

More than a week after stories about the breaches first appeared in 2013, Microsoft published a brief statement that portrayed its own break-in as limited and made no reference to the bug database.

The database contained information on active software bugs and vulnerabilities, which could have been used to mount serious cyberattacks in the future.

"They absolutely discovered that bugs had been taken", one source said.

Other reports by PlayStation Move reviews

Discuss This Article