F-Secure found evidence of yet another massive round of infected Web sites on Thursday, all compromised by SQL injection attacks. Many pundits in the blogosphere were quick to blame Microsoft IIS and/or SQL Server. And so Bill Sisk from the Microsoft Security Team posted a blog late Friday evening in response. Sisk insists that no new vulnerabilities were found. He also says that better coding practices on the part of the developers is what is needed to prevent this kind attack.
Essentially this kind of attack directs people to malicious Web sites. Sites that use a database back-end (and there are more and more of them these days) are vulnerable if they allow users to upload information to the database. Examples include discussion forums, blogs, feedback forms, et cetera. Therefore, developers need methods in place to verify that the information that gets stored in, or requested from, their databases is not sending people to infected Web pages. According to F-secure, the SQL injection code:
Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies." Sisk points developers to a white paper written in May 2005 that explains how to avoid SQL Injection attacks.
More Microsoft Subnet blog posts relating to Microsoft security:
Recent posts: 3Q financials show Microsoft needs a jump start
New Microsoft virtualization tool coming soon
Exchange and SharePoint to be revamped for multitenant versions
Low-cost PCs and a lightbulb goes off in Redmond
Mitchell Ashley's Converging on Microsoft blog
Mitchell Ashley's Converging on Microsoft podcast
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited