Microsoft tools address SQL injection attacks

Advisory helps Web sites that use Microsoft ASP and ASP.NET technologies against recent Web-based attacks.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi

On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks.

In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits. At the time Microsoft insisted it was not the result of a vulnerability, but lack of best practices on the sites themselves.

The tools released Tuesday are designed to help Web developers mitigate against such attacks.

"These free tools offer detection and defense, as well as identify possible code which may be exploited by an attacker," said Bill Sisk, security response communications manager for Microsoft.

The three tools include HP Scrawlr, UrlScan version 3.0 Beta, and a SQL Source Code Analysis Tool. Microsoft further recommends following the best practices found within advisory 954462.