With SQL injection attacks lurking around web servers hooked to databases (independent of vendor, but with a focus on Windows, IIS and SQL Server), Microsoft is lending a helping hand against the threat. According to the Redmond company, a new breed of attacks debuted at the end of 2007 does not show any signs of winding down. At the same time, Microsoft informed that after extensive investigating, it has determined that the SQL Injection Storm attacks are not related to security vulnerabilities in its products, patched or Zero-day, but instead to web applications designed to run on top of the databases.
"The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible," informed Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft. "While the attack was a SQL injection attack that attacked and compromised back-end databases courtesy of vulnerable Web pages, from a user's perspective the real attack was compromised Web pages that serve up malware to attack users through their browsers."
Howard's position is that, since there are no vulnerabilities for vendors to deal with, Microsoft included the best method to ensure database protection is to secure the code as much as possible. According to Howard, Microsoft's Security Development Lifecycle can help bulletproof vulnerable databases by using SQL Parameterized Queries, Stored Procedures, and SQL Execute-only Permission.
The Redmond giant denied that security holes in Windows, IIS, SQL Server or any infrastructure code are responsible for the acceleration rate of the SQL injection attacks. At the same time, the company pointed to a malicious tool available in the wild and designed to automate SQL injection attacks, as well as the introduction of the technique in the process of spreading malicious bots. The Microsoft Security Vulnerability Research and Defense blog has a list of recommendations for IT/database administrators, Web developers, as well as for end users.
"Beginning late last year, a number of websites were defaced to include malicious HTML < script > tags in text that was stored in a SQL database and used to generate dynamic web pages," revealed a member of the SVRD team. "Once a server has been defaced using this attack, it will begin including a malicious < script > tag pointing to a .js file. While the contents of these files differ, they all attempt to exploit various vulnerabilities including already-patched Microsoft vulnerabilities and vulnerable third-party ActiveX controls. Since these scripts are hosted independently, it is possible that the scripts can be changed rapidly to exploit new client vulnerabilities and can be easily tailored to target on a 'per browser' basis."
In addition, Bala Neerumalla, a security software developer at Microsoft, authored a whitepaper titled "Preventing SQL Injections in ASP" aimed specifically at developers. All the resources made available by the Redmond company aim to highlight a series of best practices designed to prevent SQL injection attacks.