Massive SQL-injection attack not Microsoft's fault, security official says

F-Secure found evidence of yet another massive round of infected Web sites on Thursday, all compromised by SQL

injection attacks. Many pundits in the blogosphere were quick to blame Microsoft IIS and/or SQL Server. And so Bill Sisk from the Microsoft Security Team posted a blog late Friday evening in response. Sisk insists that no new vulnerabilities were found. He also says that better coding practices on the part of the developers is what is needed to prevent this kind attack.

Essentially this kind of attack directs people to malicious Web sites. Sites that use a database back-end (and there are more and more of them these days) are vulnerable if they allow users to upload information to the database. Examples include discussion forums, blogs, feedback forms, et cetera. Therefore, developers need methods in place to verify that the information that gets stored in, or requested from, their databases is not sending people to infected Web pages. According to F-secure, the SQL injection code:

"finds all text fields in the database and adds a link to malicious Javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code."

Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies." Sisk points developers to a white paper written in May 2005 that explains how to avoid SQL Injection attacks.

Go to the Microsoft Subnet home page for more news, blogs, podcasts.

More Microsoft Subnet blog posts relating to Microsoft security: 3Q financials show Microsoft needs a jump startNew Microsoft virtualization tool coming soon Exchange and SharePoint to be revamped for multitenant versions Low-cost PCs and a lightbulb goes off in Redmond Mitchell Ashley's Converging on Microsoft blogMitchell Ashley's Converging on Microsoft podcastAll Microsoft Subnet blog posts

Recent posts:

Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022