Microsoft took a public file server offline Tuesday after Internet users discovered that the system contained scores of internal Microsoft documents, including a huge customer database with millions of entries.
The file transfer protocol server ordinarily enables Microsoft customers to download drivers, software patches and other files, as well as to upload files to the company's Product Support Services team.
But due to what experts say was an ineffective internal security policy, the public was able to have full access to folders containing confidential company presentations, spreadsheets, internal reports and other company information.
Among the files accessible to any Internet user was a 1 GB database containing millions of names and mailing addresses. The data was kept in a compressed archive named dmail_11_04_02.zip. The file, which was protected with the password "dbms," was easily opened with freely available password-cracking software.
Although the FTP server was intended for use by Microsoft's product support organization, marketing staff appeared to be using the server, unaware that it was accessible from the Internet, said Russ Cooper, "surgeon general" at security services provider TruSecure.
"They probably thought they were sharing the files just with other Microsoft people and that it was a protected server," Cooper said.
A Microsoft spokeswoman said the company has disabled downloads from the PSS Support server "to improve the privacy protections on the site." The server's outgoing file directory will be brought back online after a review of its security architecture demonstrates that customers' information is protected, she said.
Among the many people who stumbled upon the open FTP server was Andreas Marx, a virus researcher with GEGA IT-Solutions. In a phone interview, Marx said he first noticed the security problem Nov. 15 after connecting to the FTP server to download a security patch for Microsoft Office. Marx said numerous directories in a section of the site marked "outgoing" were accessible and contained files with "really interesting names."
Marx said he reported the problem to Microsoft, and the company appeared to take the FTP server offline Monday. When the server was restored later in the day, it had been "completely cleaned" of confidential files, Marx said.
But shortly thereafter, he said, Microsoft employees apparently began uploading new confidential files to the public section of the FTP server.
"It looked like Microsoft had a policy about what files could be uploaded, but that some employees weren't following it," said Marx.
After a short stint offline Tuesday morning, the FTP server's incoming directory appeared to be back online later in the day with proper access permissions. The outgoing directory, which contained patches and other support information, was still inaccessible, however.
The incident follows the posting last month of dozens of Microsoft internal documents, including e-mails and reports labeled "Microsoft Internal Distribution," on a website operated by a security researcher in Turkey.
In an e-mail interview, Tamer Sahin said he was able to access Microsoft's internal network at the beginning of this year using "known vulnerabilities" in Microsoft's software. In a message at his site, Sahin said he hacked Microsoft and posted documents he retrieved during his trespass because of his "fanaticism to Unix."
At the time, a Microsoft spokesman said the information Sahin obtained was outdated, but declined to comment further, citing the company's policy of not discussing intrusion claims.
