Microsoft offers assistance to combat mass SQL injection
Microsoft has provided security advice to web developers using its products after many such sites were compromised. Last week, hundreds of thousands of web pages were infected with a malicious
iframe which tries to infect visitors with a trojan. Many high profile sites including the United Nations (un.org), the UK government (gov.uk) and the US Department of Homeland Security were affected. The attack exploits SQL injection vulnerabilities to inject the
iframe into the database behind the web pages. It can thereafter contaminate all pages served by the database backend with code that tries to inject a trojan. Microsoft has analysed the attacks and has now published tips to help administrators protect their web servers.
In its security and IIS blogs, Microsoft explains that the attackers do not exploit any vulnerabilities in Internet Information Server (IIS), ASP and ASP.Net or in the MS SQL server. Microsoft also objects to the widespread assumption that a hole in Windows is exploited to escalate user privileges.
According to Redmond's security experts the attackers use automated tools to look for SQL injection holes in web applications which have not been developed according to Microsoft's "Best Practices". The "Best Practices" guidelines explain how to configure and implement applications to make them as secure and error-free as possible.
Administrators and web developers who are not yet aware of Microsoft's "Best Practices" guidelines for developing web applications and MS SQL servers should take this opportunity to implement the measures suggested in these guidelines.
- Questions about Web Server Attacks, entry in Microsoft's security blog
- SQL Injection Attacks on IIS Web Servers, entry in Microsoft's IIS blog
- Improving Web Application Security: Threats and Countermeasures, Microsoft's "Best Practices" guidelines for making web applications secure
- How To: Protect From SQL Injection in ASP.NET, Microsoft's "Best Practices" guidelines for improving MS SQL server security.