The Windows Observer--Microsoft Does Something About Those SQL Injection Attacks

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 6, Number 31 -- August 27, 2008

Microsoft Does Something About Those SQL Injection Attacks

Published: August 27, 2008

by Alex Woodie

Microsoft last week issued an update to a Web server tool designed to thwart SQL injection attacks, an attack vector that has caught on with hackers over the last couple of years. With UrlScan 3.0, Microsoft developers say they finally have a method of blocking automated SQL injection attacks, and thereby protecting its customers' Web sites long enough for them to address the underlying programming flaws that are making them vulnerable.

Since the first SQL injection attacks were reported in late 2005, scores of high-profile Web sites based on Microsoft Active Server Pages and ASP.NET technologies have been hacked and defaced, leading to scores of embarrassed officials and requests for Microsoft to please, PLEASE, do something about it!

Among the Web sites falling victim to SQL Server attacks were a Web site owned by German TV station ARD, a Web site run by the Tech Target publishing company, an official Indian tourist Web site, the United Nations Web site, a Rhode Island government Web site, and Kaspersky's Malaysian Web site, according to Wikipedia. Even Microsoft's own British Web site was hacked.

Earlier this year, the attacks escalated, as hackers shared tools designed to automate the attacks. In June, Microsoft finally responded to the escalation by issuing Security Advisory 954462. The advisory acknowledged the escalating problem with SQL injection attacks, but stated that the attacks are not the result of any technical flaws in Microsoft's SQL Server database in its Internet Information Services (IIS) Web server, but rather are due to poor programming practices by developers creating dynamic Web sites using Microsoft's technology.

In other words, Microsoft was saying if you don't follow best practices and validate input to prevent SQL commands (and SQL injection attacks) from getting into the user input fields on your fancy-schmancy Web sites, then it's your own darned fault if you get hacked. Sorry, there's nothing we can do.

But actually, there was something Microsoft could do, and it's finally done it with the release of UrlScan 3.0 last week.

UrlScan is a free add-on developed by Microsoft's IIS team for IIS version 6 that filters requests coming into the IIS Web server, in real time. In previous releases, it could identify malicious code using one of a number of techniques, including looking at the size of the URL, looking at headers, or looking at unexpected characters in query strings in URLs.

Such techniques helped UrlScan block one of the most infamous Microsoft vulnerabilities, CodeRed. Subsequent versions of UrlScan worked so well that most of its functions were incorporated into the "request filter" component of IIS 7.

UrlScan, however, could do nothing about the recent spate of SQL injection attacks. That's because the tool lacked the capability to analyze the query string itself, according to Wade Hilmo, a senior developer with the IIS product team. "For historical and some obscure RFC reasons, UrlScan never looked at the query string," Hilmo writes in his blog.

Hilmo and friends went back to work, and came up with a way to analyze the entire query string with UrlScan version 3, which goes a long way toward clamping down on many types of SQL Injection attacks.

A beta of the tool was released in June, and last week Microsoft posted a final version of the tool. Users can download either an X86 version that runs in 32 bit mode or an X64 version for 64-bit systems.

Hilmo emphasizes that UrlScan 3.0 isn't a cure-all for SQL injection attacks. "It cannot be overstated that these tools are just an interim measure to buy time to fix the affected applications," he writes. "While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server."

In other words, you still have to fix your applications.

Sponsored By
MKS

Meet Your IT Audit and Compliance Demands with MKS

One Seamless Solution for System i and Distributed Application Lifecycle Management

Are you struggling to meet IT audit and compliance demands?
Do you need traceability over software change?

When Pennsylvania Housing Finance Agency (PHFA) needed to achieve compliance, they turned to MKS for traceability over their software change. MKS Integrity enforces their development process and brings end to end traceability to their System i and distributed development operations.

Read the PHFA story.

MKS can help you establish and enforce any software process or workflow, and manage software change from project start to finish. With MKS you can ensure that the application you develop is deployed securely and that only authorized changes go into production.

For auditing and compliance needs, it doesn't get any better than MKS.

For more info, visit http://www.mks.com/itjungle/weareone or call 1 800 613 7535.

Make the Move to MKS now and SAVE!

For a limited time MKS will help you make the move from your existing software change and configuration management solution, with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and coverage of the application lifecycle as well as a platform to manage both System i and cross-platform development.

Visit the Products section of www.mks.com for more information on Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it,
request a FREE change management process assessment by our team of experts
with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or sales@mks.com

Editor: Alex Woodie

Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON: Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
MoshiMoshi: An Interactive Experience for the System i Community.
Solidcore: File integrity monitoring for PCI DSS compliance starting at $25/node

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95


PowerTech Acquired by Help/Systems, Private Equity Firm JDA Ponies Up $346 Million to Buy i2 Technologies SMBs Are Sensibly More Concerned with Biz than Tech As I See It: Lessons from Robben Island Big Blue Launches XIV Clustered Storage Arrays


Why Blade Servers Still Don't Cut It, and How They Might Intel Keeps Both Arms Swinging with Xeons, Jabs with Itanium Microsoft Ponies Up Another $100 Million for Novell Linux Mad Dog 21/21: Newtonian Economics Two More Xeon-Based Galaxy Servers from Sun


A Bumblebee for BI--Now That's Just 'Smart' Curbstone Gains PCI Compliance for i OS Payment System Life is Easy for iPhone Apps on the Morph Labs Cloud WebClient for CA Plex 1.4 Now Available Avnet to Resell VDoc Content Management Suite in U.S.


For Some Customers, the Mainframe Is Green Top Mainframe Stories From Around the Web Chats, Webinars, Seminars, Shows, and Other Happenings


Serving Up Spreadsheets V6R1 Enhancements for Run SQL Scripts Admin Alert: Common Mistakes When Failing Over to a CBU


August 23, 2008: Volume 10, Number 34 August 16, 2008: Volume 10, Number 33 August 9, 2008: Volume 10, Number 32 August 2, 2008: Volume 10, Number 31 July 26, 2008: Volume 10, Number 30 July 19, 2008: Volume 10, Number 29


What the Heck Is the Midrange, Anyway? Overseas and Notebook Sales Offset Printer Declines for HP in Q3 Two More Xeon-Based Galaxy Servers from Sun Mad Dog 21/21: Newtonian Economics Intel's Nehalems to Star at IDF, AMD Pitches Shanghai


Four Hundred Monitor's Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:
IT Security Storage Guardian Computer Measurement Group World Data Products MKS

	Printer Friendly Version

TABLE OF CONTENTS

Citrix Addresses Performance with XenApp 5

Server Buyers Shop Like It's 1999 in the Second Quarter

Intel Keeps Both Arms Swinging with Xeons, Jabs with Itanium

Mad Dog 21/21: Newtonian Economics

Microsoft Does Something About Those SQL Injection Attacks

But Wait, There's More:

Microsoft Ponies Up Another $100 Million for Novell Linux . . . Can Jerry Seinfeld Renew the 'Wow' for Microsoft? . . . SMBs Are Sensibly More Concerned with Biz than Tech . . . Real Time Forensics from Log Data? ArcSight Says It's Got It . . . Java vs. .NET: Someone's Going to Get a Black Eye . . .

The Windows Observer

BACK ISSUES