Network World
Thursday, January 8, 2009
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Microsoft Subnet Blog

Microsoft Subnet
NetworkWorld.com > Community > Microsoft Subnet Blog

Navigation

Massive SQL-injection attack not Microsoft's fault, security official says

By Microsoft Subnet on Mon, 04/28/2008 - 3:02pm.

F-Secure found evidence of yet another massive round of infected Web sites on Thursday, all compromised by SQL injection attacks. Many pundits in the blogosphere were quick to blame Microsoft IIS and/or SQL Server. And so Bill Sisk from the Microsoft Security Team posted a blog late Friday evening in response. Sisk insists that no new vulnerabilities were found. He also says that better coding practices on the part of the developers is what is needed to prevent this kind attack.

Essentially this kind of attack directs people to malicious Web sites. Sites that use a database back-end (and there are more and more of them these days) are vulnerable if they allow users to upload information to the database. Examples include discussion forums, blogs, feedback forms, et cetera. Therefore, developers need methods in place to verify that the information that gets stored in, or requested from, their databases is not sending people to infected Web pages. According to F-secure, the SQL injection code:

"finds all text fields in the database and adds a link to malicious Javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code."

Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies." Sisk points developers to a white paper written in May 2005 that explains how to avoid SQL Injection attacks.

Go to the Microsoft Subnet home page for more news, blogs, podcasts.

More Microsoft Subnet blog posts relating to Microsoft security:
Recent posts: 3Q financials show Microsoft needs a jump start
New Microsoft virtualization tool coming soon
Exchange and SharePoint to be revamped for multitenant versions
Low-cost PCs and a lightbulb goes off in Redmond
Mitchell Ashley's Converging on Microsoft blog
Mitchell Ashley's Converging on Microsoft podcast

All Microsoft Subnet blog posts

Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Permalink
Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

More Microsoft resources

RSS feed

RSS feed

The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, managed by editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.

(OS community)
RSS feed (Microsoft RSS feed)

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: