Reuters report that Microsoft suffered a serious hack in 2013 which could have exposed vulnerabilities in Windows which could then be later exploited by hackers for further attacks on other Microsoft software users.
The hack was ironically achieved by a sophisticated hacker group who exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks, who then accessed a database contained descriptions of critical and unfixed vulnerabilities in Microsoft software, including Windows.
The attack was happening around the same time as a wave of attacks on other companies such as Apple, Facebook and Twitter, and Microsoft at a time only released a terse statement saying:
“As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,” the company said on Feb. 22, 2013.
“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
The statement underplayed the seriousness of the hack however.
“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Mark Weatherford, who was deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security when Microsoft learned of the breach, agreed, saying companies should treat accurate bug reports as the “keys to the kingdom.”
“Your bug repository should be equally important,” he said.
Microsoft tightened up security after the breach, walling the database off from the corporate network and requiring two authentications for access.
They also monitored other companies for breaches to detect if there was a corresponding increase in attacks after their own hack, suggesting useful vulnerabilities were leaked.
They concluded that even though the bugs in the database were used in ensuing hacking attacks, the perpetrators could have gotten the information elsewhere.
In an email responding to questions from Reuters, Microsoft said: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”