RSSMicrosoft denies a link between IIS and SQL injection attacks
By Scott M. Fulton, III | Published April 28, 2008, 12:06 PM
An apparent rash of SQL injection attacks on Web sites was reported by a Finnish security firm late last week, though a case of "guilt by implication" led to speculation that a privilege escalation vulnerability was the cause.
Last Friday, the Web site of security engineering firm F-Secure noted what appears to be another outbreak of successful SQL injection attacks on database-driven Web sites that use Active Server Pages to generate results. In what appears to the firm to be a twist on a classic attack scheme, an uncleansed SQL query into a database reformulates the contents of every record in its tables so that certain text fields contain hidden, malicious JavaScript code.
That code may then be executed by some unprotected browsers, and the result could be, F-Secure warns, the downloading of a Trojan package with an unspecified payload.
An update at the end of F-Secure's Friday report identified only SQL Server and IIS-related sites as being vulnerable. But a BetaNews check this morning of infected sites whose injected code is visible via Google query (where, ironically, the hidden script code becomes un-hidden) revealed at least one site -- that of publisher Harcourt Brace, a frequent Oracle partner -- where the injected code was also present.
While Active Server Pages are the products of Microsoft Internet Information Server, the technology is not exclusively linked to Microsoft SQL Server.
At any rate, the update apparently sparked speculation that the privilege escalation vulnerability acknowledged by Microsoft ten days ago, was somehow related since IIS was also involved. That prompted Microsoft to respond in a now familiar fashion: publicly sorting out one type of problem from another.
"This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server," wrote the security team's Bill Fisk last Friday. "We have also determined that these attacks are in no way related to Microsoft Security Advisory 951306. The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."
In a separate blog post, Microsoft SQL engineer Bill Staples repeated the two problems were not related, and added, "Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in Web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform."
Taking the meaning of "exploit" to new levels, apparently some of the code used in the exploit has been registered as a keyword on Google's AdWords platform. This morning, BetaNews found a search for some of the hidden code turned up a sponsored link for a site that offers a fix for what it calls the "aspder.com virus." It promises to cleanse the injected fields in your database, all for a mere $29.95.
"We assume no risk," the proprietors warn. "We just hope it helps."
Microsoft is right on this one. SQL Injection has nothing to do with IIS at all. It targets poor development practices, and has happened on basically every platform.
People who try to pin this on Microsoft are probably going to spend next week blaming Ford for potholes.
Score: 0
I am interested in network safety. Open network sites concern me and will continue to be a problem without proper regulation of the networks. Security best practices are a key, but not enough. Thank you for this great article.
Score: 0
Crackers pray for ubiquitous homogeneity.
Score: 0
Like standards like smtp! ;)
Score: 0
Sendmail, qmail, exim, fetchmail, and many others implement SMTP. Even Microsoft does SMTP. And none of them have the same vulnerabilities.
Good standards encourage diverse implementations. Not that SMTP is a great standard but it does allow my mail server to shrug off an attack that would crack a Microsoft mail server.
Diversity is the enemy a cracker.
Score: 0
Diversity is the enemy a cracker.
Funny how you can say that while railing against OXML in previous threads.
Guess it only applies when that diversity isn't a MSFT product?
Score: 0
You missed my point. SMTP is a terrible protocol because it has built-in broken authentication, it's ripe for abuse, and yet it's a standard that everyone uses, and keep uses despite its obvious flaws...
Score: 0
My point is that with many different implementations each with many different configurations there isn't an attack that will crack every SMTP server.
Sure you can make Qmail bounce an error to a forged return address, but that trick doesn't work with Exim. I don't think there is a program with worse security record than Sendmail, but those cracks will not let you run arbitrary code from Qmail.
True diversity is the enemy "of" a cracker.
False diversity, when a standard is only implemented on one OS and every program uses the same vendor provided libraries, makes a prime target. Like some standards that would be off topic to mention.
Score: 0
Microsoft needs an UAC for bad development techniques.
Score: 0
Wow, an comment that is actually using your brain, instead of the usual M$ sucks.
SQL Injection is a real problem that can be solved by using simple coding rules.
NEVER Build dynamic queries with input from a form without using parameters. This goes for any language and database.
Score: 0
I agree, but people tend to complicate everything.
Score: 0