Security expert: Don't blame Microsoft for mass site defacements

Now that the bad guys have found a generic way to attack SQL-based Web sites, look for more attacks in the near future, says CTO of WhiteHat Security.

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

On Monday, CNET found a few sites still infected with the latest SQL-injection attack.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.

On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.

Grossman agreed it's not Microsoft's fault, and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.

Grossman said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

"It's said that the attacks never get worse, they only get better," Grossman said. But in terms of the good guys closing the gap with the attackers, he remains optimistic. He said with more diligence and more care, we can protect Web sites from these attacks.

Featured Video

Why do so many of us still buy cars with off-road abilities?

Cities are full of cars like the Subaru XV that can drive off-road but will never see any challenging terrain. What drives us to buy cars with these abilities when we don't really need them most of the time?

by Drew Stearne