Three Microsoft sites attacked

Microsoft's UK, Mexico and Saudi Arabia sites were replaced with messages from the hacker group Prime Suspectz. The defacements come two days after Microsoft revealed its flagship Web server software had a serious vulnerability, but it's not known if the intruders used that vulnerability to attack the Microsoft sites. In a related development, a computer hacker published code Wednesday night that makes taking advantage of the new Microsoft flaw easy for any ill-intentioned computer programmer.

Microsoft's UK home page was back to normal not long after the defacement took place, and the defacement itself was relatively benign. It simply said, "Thank you for visiting..." and after a few seconds redirected visitors to the proper Microsoft site. (MSNBC is a Microsoft-NBC joint venture.)

Still, the attacks are an embarrassment for the company, which on Tuesday sounded an alert about a serious flaw in its Web server product, called Internet Information Server.

The group that defaced the Microsoft sites, which calls itself Prime Suspectz, has targeted the company before. In January, it defaced Microsoft's New Zealand site. In fact, the group is accustomed to attacking major international companies by taking control of their generally less-well-guarded overseas sites. Research group Attrition.org, which catalogs Web site attacks, noted 20 such attacks by the group in November. Among the companies targeted were NEC, Nintendo and eBay.

Microsoft spokesperon Jim Desler confirmed the three separate attacks, but said all three sites were returned to normal quickly. In all three cases, he said, the sites were operated by independent third parties and not connected to Microsoft's corporate network.

"There was no consumer data or Microsoft-sensitive data on these site," he said.

Desler said the company did not yet know how the attackers broke in, but said he doubted the recently-announced IIS bug was the culprit. Since the group has broken into Microsoft sites before, using other methods, Desler said they probably had used those older methods to break in.

According to computer security consultant Joel de la Garza, the UK defacement was not serious - it appears the attackers were only able to compromise a "placeholder" computer that redirects visitors from the simple URL www.microsoft.co.uk to the company's real Web site.

Meanwhile, the fallout from Tuesday's security vulnerability is still taking shape. The company acknowledged a flaw in a tool that's part of Windows 2000 that would allow an attacker to take complete control of a computer remotely over the Internet by sending a relatively simple string of text at the machine. The flaw lies in a Windows 2000 component that allows printing over the Internet. Virtually any Windows 2000 computer used as a Web server, if it's using the most recent version of Microsoft's Web server software called Internet Information Server, is vulnerable to the flaw - perhaps several million Web sites in all.

A string of characters posing as a print command can trick the machine into surrendering control to an attacker. The problem was discovered by a security firm called eEye Digital Security.

But system administrators still had some time to fix their systems with a Microsoft-issued patch, as taking advantage of the flaw required some sophisticated computer programming.

But on Wednesday, a hacker calling himself dark spyrit published what is essentially a template for the vulnerability on a popular security mailing list . It allows any ill-intentioned programmer to fairly easily take advantage of the flaw.