Security expert: Don't blame Microsoft for mass site defacements

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.

On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.

Grossman agreed it's not Microsoft's fault, and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.

Grossman said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

"It's said that the attacks never get worse, they only get better," Grossman said. But in terms of the good guys closing the gap with the attackers, he remains optimistic. He said with more diligence and more care, we can protect Web sites from these attacks.