Apr 28, 2008 (12:04 PM EDT)
Microsoft Blames Poor Coding Practices For Massive SQL Injection Attack
Read the Original Article at InformationWeek
Microsoft on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server.
"The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database."
Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.
SQL injection attacks involve insufficiently filtered code submitted to SQL databases through user input mechanisms.
Because otherwise legitimate Web sites deliver this attack, SAN Internet Storm Center handler Donald Smith observes that the concept of a "trusted" or "legitimate" site is no longer meaningful. The attack has reportedly affected the Web sites of the United Nations and the U.S. Department of Homeland Security, to name a few.
Google may have taken some action to remove some of the affected pages from its index. A Google search for a text string associated with the malicious JavaScipt now yields only 56,700 results. A screenshot of what is presumably a similar Google search -- the exact string is blurred -- performed by F-Secure last week shows 510,000 results.
A search using the same text string on Microsoft's Live Search returns 268,000 results. Yahoo Search returns 560,000 results for the text string in question.
Runald reiterated Sisk's point that poorly written ASP and ASPX (.net) was to blame rather than any specific vulnerability in Microsoft's software.