Microsoft advisory targets SQL injection attacks

Microsoft has issued a new security advisory after the discovery of "a
recent escalation in a class of attacks" targeting Web sites. The
exploits are associated with Microsoft's Active Server Pages (ASP)
and the ASP.NET 2.0 Framework, with SQL Server used as an entry
vector for so-called SQL injection attacks.


ASP lets developers create dynamic Web pages, supporting
interactive browser-based applications and e-commerce by connecting
with a relational database (such as SQL Server) on the back
end.


Even though Microsoft's technologies are used in the attacks,
the fault lies with Web site developers that haven't followed the
best practices for security, according to Redmond.


"[The attacks] do not exploit a specific software vulnerability,
but instead, target Web sites that do not follow secure coding
practices for accessing and manipulating data stored in a
relational database," wrote Bill Sisk, security response
communications manager for Microsoft in an e-mail to Redmondmag.com
on Tuesday.


Microsoft's advisory describes three tools that can help protect
individual Web sites from SQL injection attacks, according to Sisk.
You can also find links to these tools at Microsoft's data platform
blog here. According to Redmond, the free and
downloadable tools come with detection and defense features.


SQL injection attacks are becoming increasingly common. In
April, security consultancy White Hat identified isolated cases of
SQL-based Web sites injected with malicious JavaScript code.
Perhaps the worst of it was seen January, when a widespread barrage of SQL injection
attacks occurred. At that time, tens of thousands of Windows- and
SQL-based workstations were affected, as well as several thousand
Web sites with .gov and .edu domain suffixes. Many of the problems
were remedied before serious damage could be done.


This article originally was published June 24 at RedmondMag.com, a Web site affiliated with GCN.com. RedmondMag.com and GCN.com are owned by 1105 Media Inc.

inside gcn

  • digital model of city (Shutterstock.com)

    Why you need a digital twin

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group