Microsoft Does Something About Those SQL Injection Attacks

Published: August 27, 2008

by Alex Woodie

Microsoft last week issued an update to a Web server tool designed to thwart SQL injection attacks, an attack vector that has caught on with hackers over the last couple of years. With UrlScan 3.0, Microsoft developers say they finally have a method of blocking automated SQL injection attacks, and thereby protecting its customers' Web sites long enough for them to address the underlying programming flaws that are making them vulnerable.

Since the first SQL injection attacks were reported in late 2005, scores of high-profile Web sites based on Microsoft Active Server Pages and ASP.NET technologies have been hacked and defaced, leading to scores of embarrassed officials and requests for Microsoft to please, PLEASE, do something about it!

Among the Web sites falling victim to SQL Server attacks were a Web site owned by German TV station ARD, a Web site run by the Tech Target publishing company, an official Indian tourist Web site, the United Nations Web site, a Rhode Island government Web site, and Kaspersky's Malaysian Web site, according to Wikipedia. Even Microsoft's own British Web site was hacked.

Earlier this year, the attacks escalated, as hackers shared tools designed to automate the attacks. In June, Microsoft finally responded to the escalation by issuing Security Advisory 954462. The advisory acknowledged the escalating problem with SQL injection attacks, but stated that the attacks are not the result of any technical flaws in Microsoft's SQL Server database in its Internet Information Services (IIS) Web server, but rather are due to poor programming practices by developers creating dynamic Web sites using Microsoft's technology.

In other words, Microsoft was saying if you don't follow best practices and validate input to prevent SQL commands (and SQL injection attacks) from getting into the user input fields on your fancy-schmancy Web sites, then it's your own darned fault if you get hacked. Sorry, there's nothing we can do.

But actually, there was something Microsoft could do, and it's finally done it with the release of UrlScan 3.0 last week.

UrlScan is a free add-on developed by Microsoft's IIS team for IIS version 6 that filters requests coming into the IIS Web server, in real time. In previous releases, it could identify malicious code using one of a number of techniques, including looking at the size of the URL, looking at headers, or looking at unexpected characters in query strings in URLs.

Such techniques helped UrlScan block one of the most infamous Microsoft vulnerabilities, CodeRed. Subsequent versions of UrlScan worked so well that most of its functions were incorporated into the "request filter" component of IIS 7.

UrlScan, however, could do nothing about the recent spate of SQL injection attacks. That's because the tool lacked the capability to analyze the query string itself, according to Wade Hilmo, a senior developer with the IIS product team. "For historical and some obscure RFC reasons, UrlScan never looked at the query string," Hilmo writes in his blog.

Hilmo and friends went back to work, and came up with a way to analyze the entire query string with UrlScan version 3, which goes a long way toward clamping down on many types of SQL Injection attacks.

A beta of the tool was released in June, and last week Microsoft posted a final version of the tool. Users can download either an X86 version that runs in 32 bit mode or an X64 version for 64-bit systems.

Hilmo emphasizes that UrlScan 3.0 isn't a cure-all for SQL injection attacks. "It cannot be overstated that these tools are just an interim measure to buy time to fix the affected applications," he writes. "While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server."

In other words, you still have to fix your applications.

RELATED STORIES

Security Attacks and Breaches on the Rise

SQL Injection Attacks Being Used by Hackers for Profit