YOU ARE HERE: LAT HomeCollections


Hacker Prevents Access to Microsoft

The software company's site was unavailable for an hour and 40 minutes, possibly delaying efforts to download a patch.

August 02, 2003|Joseph Menn | Times Staff Writer

A hacker attack on Microsoft Corp. left its corporate Web pages unavailable to visitors for an hour and 40 minutes Friday afternoon in the first successful denial-of-service campaign against the company in at least nine months.

The attack sent requests for information to the Web site from many computers, overwhelming its servers but causing no lasting damage, said Microsoft spokesman Sean Sundwall.

The assault might have delayed some computer owners' efforts to download new software from Microsoft that fixes a critical vulnerability the company disclosed two weeks ago. The Remote Procedure Call vulnerability could allow hackers to take control of machines running Microsoft's Windows NT, Windows XP, Windows 2000 or the recently released Windows Server 2003 operating system.

Security researchers and hackers already have written and published programs to take advantage of the vulnerability, prompting the U.S. Department of Homeland Security to issue an advisory urging people to download a software patch.

"We have been extra adamant that people download this," Sundwall said.

There were no reports of attacks using the new method by late in the day.

Sundwall said it was possible that the denial-of-service attack was meant to hinder installation of the patches, but more likely that it was a prank timed for the first day of Def Con, a hacking and security convention being held in Las Vegas.

This week, security firm Qualys Inc. of Redwood City, Calif., released the results of tests for known vulnerabilities on more than 1 million computers, concluding that the most dangerous time is in the first weeks after a vulnerability is made public.

Hackers are accelerating their attacks, and the public's response remains incomplete, Qualys found. Only half of the computers surveyed were protected within 30 days of a vulnerability being identified.

Los Angeles Times Articles