28 April 2008, 10:16

Microsoft offers assistance to combat mass SQL injection

Microsoft has provided security advice to web developers using its products after many such sites were compromised. Last week, hundreds of thousands of web pages were infected with a malicious iframe which tries to infect visitors with a trojan. Many high profile sites including the United Nations (un.org), the UK government (gov.uk) and the US Department of Homeland Security were affected. The attack exploits SQL injection vulnerabilities to inject the iframe into the database behind the web pages. It can thereafter contaminate all pages served by the database backend with code that tries to inject a trojan. Microsoft has analysed the attacks and has now published tips to help administrators protect their web servers.

In its security and IIS blogs, Microsoft explains that the attackers do not exploit any vulnerabilities in Internet Information Server (IIS), ASP and ASP.Net or in the MS SQL server. Microsoft also objects to the widespread assumption that a hole in Windows is exploited to escalate user privileges.

According to Redmond's security experts the attackers use automated tools to look for SQL injection holes in web applications which have not been developed according to Microsoft's "Best Practices". The "Best Practices" guidelines explain how to configure and implement applications to make them as secure and error-free as possible.

Administrators and web developers who are not yet aware of Microsoft's "Best Practices" guidelines for developing web applications and MS SQL servers should take this opportunity to implement the measures suggested in these guidelines.