Secret Microsoft database of unfixed vulnerabilities hacked in 2013

Microsoft Corp's secret internaldatabase for tracking bugs in its own software was broken intoby a highly sophisticated hacking group more than four yearsago, according to five former employees, in only the secondknown breach of such a corporate database.

The company did not disclose the extent of the attack to thepublic or its customers after its discovery in 2013, but thefive former employees described it to Reuters in separateinterviews. Microsoft declined to discuss the incident.

The database contained descriptions of critical and unfixedvulnerabilities in some of the most widely used software in theworld, including the Windows operating system. Spies forgovernments around the globe and other hackers covet suchinformation because it shows them how to create tools forelectronic break-ins.

Bad guys with inside access to that information wouldliterally have a "skeleton key"for hundreds of millions ofcomputers around the world.- Eric Rosenbach, former U.S. deputy assistant secretary of defense for cyber

The Microsoft flaws were fixed likely within months of thehack, according to the former employees. Yet speaking out forthe first time, these former employees as well as U.S. officialsinformed of the breach by Reuters said it alarmed them becausethe hackers could have used the data at the time to mountattacks elsewhere, spreading their reach into government andcorporate networks.

"Bad guys with inside access to that information wouldliterally have a 'skeleton key' for hundreds of millions ofcomputers around the world," said Eric Rosenbach, who was U.S.deputy assistant secretary of defense for cyber at the time.

Companies of all stripes now are ramping up efforts to findand fix bugs in their software amid a wave of damaging hackingattacks. Many firms, including Microsoft, pay securityresearchers and hackers "bounties" for information about flaws, increasing the flow of bug data and rendering efforts to securethe material more urgent than ever.

• Apple launches 'bug bounty,' offering cash for reports of security flaws

In an email responding to questions from Reuters, Microsoftsaid: "Our security teams actively monitor cyber threats to helpus prioritize and take appropriate action to keep customersprotected."

Microsoft investigates

Sometime after learning of the attack, Microsoft went backand looked at breaches of other organizations around then, thefive ex-employees said. It found no evidence that the stoleninformation had been used in those breaches.

Two current employees said the company stands by thatassessment. Three of the former employees assert the study hadtoo little data to be conclusive.

Microsoft tightened up security after the breach, the formeremployees said, walling the database off from the corporatenetwork and requiring two authentications for access.

The dangers posed by information on such softwarevulnerabilities became a matter of broad public debate thisyear, after a National Security Agency stockpile of hackingtools was stolen, published and then used in the destructive"WannaCry" attacks against U.K. hospitals and other facilities.

After WannaCry, Microsoft President Brad Smith compared theNSA's loss to the "the U.S. military having some of its Tomahawkmissiles stolen," and cited "the damage to civilians that comesfrom hoarding these vulnerabilities."

The Microsoft matter should remind companies to treataccurate bug reports as the "keys to the kingdom," said Mark
Weatherford, who was deputy undersecretary for cybersecurity atthe U.S. Department of Homeland Security when Microsoft learnedof the breach.

Like the Pentagon's Rosenbach, Weatherford said he had notknown of the Microsoft attack. Weatherford noted that mostcompanies have strict security procedures around intellectualproperty and other sensitive corporate information.

"Your bug repository should be equally important," he said.

Employees' Macs penetrated

Microsoft discovered the database breach in early 2013 aftera highly skilled hacking group broke into computers at a numberof major tech companies, including Apple Inc, FacebookInc and Twitter Inc.

The group, variously called Morpho, Butterfly and WildNeutron by security researchers elsewhere, exploited a flaw in
the Java programming language to penetrate employees' AppleMacintosh computers and then move to company networks.

They absolutely discovered that bugs had been taken. Whether or not those bugs were in use, I don't think theydid a very thorough job of discovering.- Former Microsoft employee

The group remains active as one of the most proficient andmysterious hacking groups known to be in operation, according tosecurity researchers. Experts can't agree about whether it isbacked by a national government, let alone which one.

More than a week after stories about the breaches firstappeared in 2013, Microsoft published a brief statement thatportrayed its own break-in as limited and made no reference tothe bug database.

"As reported by Facebook and Apple, Microsoft can confirmthat we also recently experienced a similar security intrusion,"the company said on Feb. 22, 2013.

"We found a small number of computers, including some in ourMac business unit, that were infected by malicious softwareusing techniques similar to those documented by otherorganizations. We have no evidence of customer data beingaffected, and our investigation is ongoing."

Poorly protected

Inside the company, alarm spread as officials realized thedatabase for tracking patches had been compromised, according tothe five former security employees. They said the database waspoorly protected, with access possible via little more than apassword.

Concerns that hackers were using stolen bugs to conduct newattacks prompted Microsoft to compare the timing of thosebreaches with when the flaws had entered the database and whenthey were patched, according to the five former employees.

These people said the study concluded that even though thebugs in the database were used in ensuing hacking attacks, theperpetrators could have gotten the information elsewhere.

That finding helped justify Microsoft's decision not todisclose the breach, the former employees said, and in manycases patches already had been released to its customers.

Three of the five former employees Reuters spoke with saidthe study could not rule out stolen bugs having been used infollow-on attacks.

"They absolutely discovered that bugs had been taken," saidone. "Whether or not those bugs were in use, I don't think theydid a very thorough job of discovering."

That's partly because Microsoft relied on automated reportsfrom software crashes to tell when attacks started showing up.

The problem with this approach, some security experts say, isthat most sophisticated attacks do not cause crashes, and themost targeted machines such as those with sensitive governmentinformation are the least likely to allow automated reporting.

• When do Canadian spies disclose the software flaws they find? There's a policy, but few details
• Criminals used leaked NSA cyberweapon in crippling ransomware attack, experts say