Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines.
The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.
On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.
According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.
View: Full Article @ The Washington Post
The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.
On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.
According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.
View: Full Article @ The Washington Post
http://blogs.technet.com/msrc/archive/2008...er-attacks.aspx
The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.
http://blogs.technet.com/msrc/archive/2008...er-attacks.aspx
The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.
You just prooved the problem is with IIS or ASP for not removing SQL injection attacks out of the strings, PHP has a basic method on by default, does ASP even have a parse out sql injection command ?
As for ASP there are protections against SQL injection for a very very long time check http://www.4guysfromrolla.com/webtech/061902-1.shtml for more informations on the basics. Like PHP you can use regular expressions as well for more advanced techniques.
So it has more to do with lazy programmers who can't code properly than ASP/IIS being at fault. SQL injection happens a lot on PHP site as well.
That was one the poorest features of PHP. It does not make it any more secure in the long run either, as unaware users have SQL injection attacks within their code, and relying on the server to fix it, where there is no guarantee that the server incorporates this feature (the setting is enabled). It also makes aware developers lives a pain in the ass as we have to handle properly all those manipulated strings.
If you are stupid enough to let SQL injection attacks into your code, you should not be doing commercial websites.
Summed up into one, +1
"UPDATE: Do note that this attack doesn't use vulnerabilities in any of those two applications."
You will see that EVERY TIME there's an attack on MS code.
1. Exploitable code exists.
2. Researchers or individuals will find the exploit.
3. They report to MS.
4. MS will deny it. Or deny that anyone 'is' using at the time of the report.
5. Exploit code is developed, proof of concept shown to MS.
6. MS will deny it.
7. Code is released to the web, and attacks begin.
8. Servers taken offline, websites destroyed, consumer's PCs are attacked.
9. MS releases a report that they will investigate the vulnerability.
10. A patch is released. (hopefully one that will not cause even more problems in the operating system)
11. MS apologizes.
12. We go on living our happy little lives trusting MS to keep us safe.
If you think I'm posting this as an attack against MS.. it's not. Check your history of all reports of this kind, and you will see this repetitive pattern each time.
Bottom line... trust MS to create an OS for games. Trust it with your finances and you have no right to bitch should your entire industry, or govt goes down in flames. In fact.. the only one you should trust is yourself. Security is up to you.. not MS or any other company.
It is simply a SQL Injection attack, nothing more, nothing fancy, no major hole in MS's products that would make MS solely responsible.
As this IIS blog also points out:
I think there is some truth in your 12 points, but SQL scripters do have to play their part. The world has quickly embraced computer / Internet technology, this is just part of the growing pain. The real question is whether there will be a world left, by the time we perfect the technology. Once all these systems are mature, where are all the many system developers going to work... Ans: writing bloated drivers for HP scanners I guess. ;-)
People will keep on trying to hack...and almost 24x7 there are IT administrators looking around...and if they found that there system is getting seeded or hacked..they turn down there servers first!...
Hmm. I don't think there's any mention of Vista. Flame much?
apache > IIS
in security
apache > IIS
in security
Reread!
UPDATE: Do note that this attack doesn't use vulnerabilities in any of those two applications.
apache > IIS
in security
And this comment proves you know nothing about web development, so commenting on web server software is something you should refrain from.
This is a SQL injection attack. It doesn't matter what OS, what web server software, what server-side technology, or what database software you use. All that matters is whether or not the developer sanitized their inputs. A Linux box running Apache, PHP, and MySQL is just as prone to SQL injection attacks as a Windows box running IIS, ASP.NET, and MSSQL. Hell, I have to sanitize inputs for IBM iSeries DB2.
So the moral of the story: hire competent web developers.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.