F-Secure found evidence of yet another massive round of infected Web sites on Thursday, all compromised by SQL injection attacks. Many pundits in the blogosphere were quick to blame Microsoft IIS and/or SQL Server. And so Bill Sisk from the Microsoft Security Team posted a blog late Friday evening in response. Sisk insists that no new vulnerabilities were found. He also says that better coding practices on the part of the developers is what is needed to prevent this kind attack.
Essentially this kind of attack directs people to malicious Web sites. Sites that use a database back-end (and there are more and more of them these days) are vulnerable if they allow users to upload information to the database. Examples include discussion forums, blogs, feedback forms, et cetera. Therefore, developers need methods in place to verify that the information that gets stored in, or requested from, their databases is not sending people to infected Web pages. According to F-secure, the SQL injection code:
Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies." Sisk points developers to a white paper written in May 2005 that explains how to avoid SQL Injection attacks.
relating to Microsoft security: 3Q financials show Microsoft needs a jump startNew Microsoft virtualization tool coming soon Exchange and SharePoint to be revamped for multitenant versions Low-cost PCs and a lightbulb goes off in Redmond Mitchell Ashley's Converging on Microsoft blogMitchell Ashley's Converging on Microsoft podcastAll Microsoft Subnet blog posts
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)