Microsoft advisory targets SQL injection attacks

Microsoft has issued a new security advisory after the discovery of "a
recent escalation in a class of attacks" targeting Web sites. The
exploits are associated with Microsoft's Active Server Pages (ASP)
and the ASP.NET 2.0 Framework, with SQL Server used as an entry
vector for so-called SQL injection attacks.


ASP lets developers create dynamic Web pages, supporting
interactive browser-based applications and e-commerce by connecting
with a relational database (such as SQL Server) on the back
end.


Even though Microsoft's technologies are used in the attacks,
the fault lies with Web site developers that haven't followed the
best practices for security, according to Redmond.


"[The attacks] do not exploit a specific software vulnerability,
but instead, target Web sites that do not follow secure coding
practices for accessing and manipulating data stored in a
relational database," wrote Bill Sisk, security response
communications manager for Microsoft in an e-mail to Redmondmag.com
on Tuesday.


Microsoft's advisory describes three tools that can help protect
individual Web sites from SQL injection attacks, according to Sisk.
You can also find links to these tools at Microsoft's data platform
blog here. According to Redmond, the free and
downloadable tools come with detection and defense features.


SQL injection attacks are becoming increasingly common. In
April, security consultancy White Hat identified isolated cases of
SQL-based Web sites injected with malicious JavaScript code.
Perhaps the worst of it was seen January, when a widespread barrage of SQL injection
attacks occurred. At that time, tens of thousands of Windows- and
SQL-based workstations were affected, as well as several thousand
Web sites with .gov and .edu domain suffixes. Many of the problems
were remedied before serious damage could be done.


This article originally was published June 24 at RedmondMag.com, a Web site affiliated with GCN.com. RedmondMag.com and GCN.com are owned by 1105 Media Inc.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected