Microsoft denies a link between IIS and SQL injection attacks
An apparent rash of SQL injection attacks on Web sites was reported by a Finnish security firm late last week, though a case of "guilt by implication" led to speculation that a privilege escalation vulnerability was the cause.
Last Friday, the Web site of security engineering firm F-Secure noted what appears to be another outbreak of successful SQL injection attacks on database-driven Web sites that use Active Server Pages to generate results. In what appears to the firm to be a twist on a classic attack scheme, an uncleansed SQL query into a database reformulates the contents of every record in its tables so that certain text fields contain hidden, malicious JavaScript code.
That code may then be executed by some unprotected browsers, and the result could be, F-Secure warns, the downloading of a Trojan package with an unspecified payload.
An update at the end of F-Secure's Friday report identified only SQL Server and IIS-related sites as being vulnerable. But a BetaNews check this morning of infected sites whose injected code is visible via Google query (where, ironically, the hidden script code becomes un-hidden) revealed at least one site -- that of publisher Harcourt Brace, a frequent Oracle partner -- where the injected code was also present.
While Active Server Pages are the products of Microsoft Internet Information Server, the technology is not exclusively linked to Microsoft SQL Server.
At any rate, the update apparently sparked speculation that the privilege escalation vulnerability acknowledged by Microsoft ten days ago, was somehow related since IIS was also involved. That prompted Microsoft to respond in a now familiar fashion: publicly sorting out one type of problem from another.
"This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server," wrote the security team's Bill Fisk last Friday. "We have also determined that these attacks are in no way related to Microsoft Security Advisory 951306. The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."
In a separate blog post, Microsoft SQL engineer Bill Staples repeated the two problems were not related, and added, "Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in Web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform."
Taking the meaning of "exploit" to new levels, apparently some of the code used in the exploit has been registered as a keyword on Google's AdWords platform. This morning, BetaNews found a search for some of the hidden code turned up a sponsored link for a site that offers a fix for what it calls the "aspder.com virus." It promises to cleanse the injected fields in your database, all for a mere $29.95.
"We assume no risk," the proprietors warn. "We just hope it helps."