A hacker successfully defaced a page on Microsoft Corp.'s U.K. Web site on Wednesday, resulting in the display of several images, including a photograph of a child waving the flag of Saudi Arabia.

Roger Halbheer, Microsoft's chief security advisor in Europe, the Middle East and Africa, said today that the security hole used in the attack has since been closed. But, he said, it was "unfortunate" that the U.K. site was vulnerable in the first place.

The hacker, who posted his name as "rEmOtEr," used a SQL injection attack to exploit a programming snafu and gain unauthorized access to a database that supports the Web site, Halbheer said. The site takes SQL queries embedded in URLs and passes them to the database, he explained. By embedding a query of an unexpected form into the address for a particular Web page, the hacker prompted the server to return error messages, Halbheer said.

From such error messages, an attacker can get an idea of how a database is structured and refine a query so that the database will process it as an instruction to insert, instead of retrieve, data. In Microsoft's case, Halbheer said, the hacker eventually found the right combination and inserted a link to an external Web site into the database.

When users accessed the Web page on Microsoft's site, the database downloaded two photos and a graphic from the external site. A screenshot of the defacement was posted on the Zone-H.org Web site, which tracks hacked sites.

Send via e-mail | Submit to Digg | Add to Live Favorites