UPDATE 6/25: Microsoft has decided to be helpful on the issue of SQL injection attacks. It released a tool today that it says will analyze code to help Web programmers identify problems that leave them vulnerable to this attack. The Microsoft Source Code Analyzer for SQL Injection tool has been released for Community Technology Review.
The non-stop onslaught of SQL injection attacks against Web sites using Microsoft ASP and ASP.NET technologies has prompted Microsoft Security to once again issue a "not our fault" advisory today. It says:
"Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine."
The above advisory may have been in response to (or in conjunction with) today's post from the SANS Internet Storm Center discussing methods to mitigate/prevent SQL injection attacks against ASP. The post, written by Jason Lam, says:
"A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers, Brian Erman, has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection from happening."
These attacks work because the Web application is not doing a good job of recognizing the bits of data that a user inputs which can be malicious. A better method, Lam says, is the "parameterized query" which allows the database to distiguish between the static SQL statement and the user input.
Go to the Microsoft Subnet home page for more news, blogs, podcasts.
More Microsoft Subnet blog posts:
Microsoft deleted interoperability documents, Feds accuse
How much would you pay to get your virtual gold back?
Red Hat untangles itself from Xen
New SharePoint tools arrive from FAST acquisition
20 great Windows open source projects you should get to know
Six free security tools you shouldn't live without
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited