Microsoft Responds to the SQL Injection Problem

By Larry Seltzer  |  Posted 2008-06-25 Print this article Print

Windows ecosystem gets bit by a problem that traces its way back to the days before Microsoft thought much about security.

Last September, Errata Security CEO Robert Graham told us in an interview that SQL Injection was a great risk for Web sites based on many open-source tools and on older, pre-.Net Microsoft technologies. Boy, was that ever a prescient interview.

Several months later, as Wired put it, a massive attack hit half a million Windows data-driven Web sites. In fact, it was the data in these sites that got compromised, and they were set by the attack to serve malware and links to malware on top of their actual data. As the Wired blog puts it, the attack was not exactly Microsoft's fault and didn't reflect an actual vulnerability. And subsequent waves of the SQL injection attacks targeted non-Windows servers.

The best way to put it comes from the Graham interview, months before:

The pre-.Net Microsoft tools in particular were very vulnerable to attack and at the same time very easy to use. You had a lot of people building Web sites with them who really had no clue how to defend themselves from attackers. Since then Microsoft has rearchitected its products and the current generation of .Net tools makes it much more difficult to expose yourself to SQL injection unless you do something really strange.
In other words, the old Microsoft tools made it easy to program insecure code. Back in 1998 and 1999 I wrote a bunch of ASP sites which, if any were still alive (thank goodness they're not) would be easily vulnerable. I wrote them the obvious way, by reading input from users of Web forms and constructing SQL commands in VBScript. It's just not a good idea anymore to do it this way, at least not without checking the input.
On June 24, Microsoft released an obviously coordinated group of tools and documents to address the wave of servers compromised through SQL injection that occurred many weeks ago. Better late than never.

A security advisory entitled "Rise in SQL Injection Attacks Exploiting Unverified User Data Input" starts out by defining the problem (SQL injection attacks are being made against ASP sites that don't sanitize inputs) and has lots of good links in it, including to tools about which I will go into some detail below. And then there are links to developer articles about SQL injection and how to avoid it:

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel