- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday, resulting in the display of a photograph of a child waving the flag of Saudi Arabia.
It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security adviser for Microsoft in Europe, the Middle East and Africa, on Friday.
The problem has since been fixed. However, the hack highlights how large software companies with technical expertise can still prove vulnerable to hackers.
The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by using a technique known as SQL injection to get unauthorized access to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs, and passed them to a database. By embedding a query with an unexpected form in the requested URL, the hacker prompted the server to return error messages, Halbheer said.
From those error messages, a hacker can get an idea of how the database is structured and refine a SQL query that the database will process as an instruction to insert, rather than retrieve, data. Eventually, the hacker found the right combination and inserted a link to an external Web site into the database.
That meant when the normal Web page was called into a browser, the database would download data from an external link. In this case, it was two photos and a graphic, a screen shot of which is available on Zone-H.org, which tracks hacked Web sites.
There are two ways to avoid this style of attack. First, the database should not be allowed to return error messages, Halbheer said. Secondly, the Web application should have validated the URL the hacker entered and rejected ones that should not be processed, he said.
If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.
SQL injection attacks are on the rise, overall, because valuable data is held within databases, said Paul Davie, founder and COO of Secerno, a security vendor that develops technology to protect databases from SQL attacks.
"I don't think Microsoft are unique in this respect and shouldn't be held up as particularly slipshod," Davie said. "This could have happened to practically anybody."
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (2)
SQL Injection attackBy LANZen on July 3, 2007, 2:36 amIf this could happen on a Microsoft site with all their resources, what chance does a normal enterprise stand? Most enterprises have staff who can code just enough...
Reply | Read entire comment
Microsoft U.K. domain succumbs to SQL injection attackBy Microsoft Subnet on July 2, 2007, 10:11 amThis doesn't help the reputation of Microsoft Security -- named as one of the worst jobs. http://www.networkworld.com/community/?q=node/16852
Reply | Read entire comment
View all comments