Microsoft advisory targets SQL injection attacks

Microsoft has issued a new security advisory after the discovery of "a
recent escalation in a class of attacks" targeting Web sites. The
exploits are associated with Microsoft's Active Server Pages (ASP)
and the ASP.NET 2.0 Framework, with SQL Server used as an entry
vector for so-called SQL injection attacks.


ASP lets developers create dynamic Web pages, supporting
interactive browser-based applications and e-commerce by connecting
with a relational database (such as SQL Server) on the back
end.


Even though Microsoft's technologies are used in the attacks,
the fault lies with Web site developers that haven't followed the
best practices for security, according to Redmond.


"[The attacks] do not exploit a specific software vulnerability,
but instead, target Web sites that do not follow secure coding
practices for accessing and manipulating data stored in a
relational database," wrote Bill Sisk, security response
communications manager for Microsoft in an e-mail to Redmondmag.com
on Tuesday.


Microsoft's advisory describes three tools that can help protect
individual Web sites from SQL injection attacks, according to Sisk.
You can also find links to these tools at Microsoft's data platform
blog here. According to Redmond, the free and
downloadable tools come with detection and defense features.


SQL injection attacks are becoming increasingly common. In
April, security consultancy White Hat identified isolated cases of
SQL-based Web sites injected with malicious JavaScript code.
Perhaps the worst of it was seen January, when a widespread barrage of SQL injection
attacks occurred. At that time, tens of thousands of Windows- and
SQL-based workstations were affected, as well as several thousand
Web sites with .gov and .edu domain suffixes. Many of the problems
were remedied before serious damage could be done.


This article originally was published June 24 at RedmondMag.com, a Web site affiliated with GCN.com. RedmondMag.com and GCN.com are owned by 1105 Media Inc.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.