Microsoft Bug Tracking Hacked

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]

18 thoughts on “Microsoft Bug Tracking Hacked

  1. “This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.”

    Just think of all the damage an accessible open-source bug-tracking database would cause?

    1. I don’t think you’ll find critical and unfixed bugs and/or vulnerabilities in open source bug databases either, that would be reckless.

      What is worrying is that they have sat on the bugs and on the fact that they were stolen for so long. Why do that???

      1. Why? Money.
        Just think how much it’ll cost to fix all those known bugs at once, instead of their usual response of releasing a fixes as and when needed.
        Admitting it now, they can just say “Oh, those bugs only affect older, now unsupported versions, so please don’t hold your breath waiting for a fix” and their execs can give themselves a pat on the back for saving money.

        1. So very typical of a company like micro$haft. Either deny deny deny, or tie the other party up in red tape and lawyers until they go broke. I don’t regret ditching them a long LONG time ago one little bit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s