Microsoft and HP announced yesterday that they are providing free tools to help network administrators deal with the increase in SQL injection attacks over the last six months.
"We released two new tools, and HP has released one, to help administrators discover flaws so that they can mitigate attacks," said Mark Miller, director of Microsoft's Trustworthy Computing product management.
The problem lies in hackers' ability to create malformed database requests that end up "injecting" SQL commands where only usernames and passwords should be. Although Microsoft claimed that their IIS software is not vulnerable, they cautioned developers to follow their guidelines when designing sites that use back-end databases. Thankfully, the new tools should help developers identify problems in the sites they design before the vulnerabilities are exposed on the internet.
Microsoft, HP Ship Free Tools to Protect Web Sites from Hackers (Computerworld)
Programmers have the ability to avoid SQL injection attacks by requiring "strongly typed" usernames and passwords in order to avoid the malformed login information. Unfortunately, it appears that many developers do not write their code in this way, given the large number of sites that have been compromised, including the United Nations' Web site. The major problem is that these attacks allow hackers to hijack legitimate Web sites to deliver their malware, bypassing suspicions that most users have of sites that are not well known.
SQL Injection Remains Scary Back-Door Security Threat (InformationWeek)
'Legit' Website Compromises Reach Epidemic Proportions (Channel Register)
These attacks seem to follow the same pattern as most problems with vulnerable software. Most of the time, it is not zero-day attacks, or attacks based on brand-new vulnerabilities, that cause the biggest problems. Usually, it is attacks based on vulnerabilities that have been known and sometimes patched months before. I remember when the SQL Slammer worm hit, because I was on vacation in Las Vegas at the time, but my systems were safe because that attack was based on a vulnerability for which a patch was released nine months earlier. Have you looked at your systems to see if you are vulnerable to a SQL injection attack?