Microsoft's Rotten Friday: Hack Revealed As Azure, Halo Go Down

Microsoft ended the week with a pair of black eyes: a failure to secure a security certificate brought its Azure cloud service tumbling down, and the company also confessed to being the latest corporate victim of a high-profile hacking attempt.

The Azure failure also affected Microsoft's Xbox game, Halo 4, Microsoft confirmed.

The highest-profile incident may have had the least effect: "a small number" of Microsoft PCs were penetrated by an unknown intruder. No user data was compromised, Microsoft said in a blog post

"Consistent with our security response practices, we chose not to make a statement during the initial information gathering process," Matt Thomlinson, general manager of Microsoft's Trustworthy Computing Security unit, wrote. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."

The attacks were consistent with other efforts to penetrate computers within Apple and Facebook, Microsoft said. Facebook discovered its attack last week, which followed attacks on the Wall Street Journal and The New York Times via an unpatched exploit within Java, exploited, experts believe, by the Chinese military.

Separately, ZenDesk reported Friday that it too, was hacked, exposing emails that clients Tumblr, Twitter and Pinterest used to communicate it with it for service-related requests. 

Lack Of SSL Certificate Brings Azure Down

At press time Friday night, Microsoft still had not implemented a fix for the Azure issue, caused by a failure to obtain a new SSL certificate. That brought its Azure storage services down across all of its worldwide regions, as well as services that were dependent upon them.

At 9:30 PM UTC (4:30 PM ET), Microsoft discovered that "HTTPS operations (SSL transactions) on Storage accounts worldwide are impacted," the company said.  By 9:45 PM UTC, the the management portal, WindowsAzure.com, and the service bus, plus the websites that Azure serves were also down. By 10:15 PM, the company had begun validating steps to repair the problem, but hadn't formally announced a fix. After users began circulating screenshots of what appeared to be an expired SSL certificate, the company acknowledged its error.

"Windows Azure Storage has been affected by an expired certificate," a spokesman said in an emailed statement. We are working to complete the restoration as quickly as possible. We apologize for any inconvenience this has caused our customers. For more information please go to http://www.windowsazure.com/en-us/support/service-dashboard/." Microsoft also apologized to customers via Twitter.

Microsoft also reported problems with its Compute services, preventing users from creating new virtual machines. That left users who needed to create those virtual machines to host new apps scratching their heads. "Most of our apps are screwed up now!" pinvoke.in, one commenter, complained. "WHATS NEXT? All compute instances die because someone at the data center switched them off?"

Unfortunately for Microsoft, this sort of thing has happened before. At the end of February 2012, Microsoft failed to account for the leap day at the end of the month, Feb. 29. As a result, the Azure services was down for more than 12 hours before Microsoft could issue a fix. Microsoft hasn't said whether or not the recent outage was a result of an oversight, or a more serious technical error.

Oddly enough, Netflix began reporting problems of its own on Friday night, leading to the intriguing possibility that two cloud services may have been failing at the same time. But although Netflix has gone down before when Amazon's AWS service failed, Amazon's own AWS service dashboard didn't indicate any problems.