Microsoft, HP Ship Free Tools to Combate SQL Injection Attacks

Three tools help sites ward off growing risk from hackers from attacking legitimate sites.

Microsoft Responds to SQL Injection Attacks

IBM: SQL Injections Entering 'Third Wave' - Growing Resistant

Mass SQL Injection Attack Targets Chinese Web Sites

Databases Assaulted by SQL Injection Attacks

The move is in response to a major upswing during the first six months of 2008 in the number of attacks targeting legitimate sites. Most of the hacks have used SQL injection attacks, and have compromised significant sites including ones operated by government agencies, the United Nations and major corporations.

In a report issued the same day, Finnish security company F-Secure estimated the number of pages hacked by SQL injection attacks so far this year at between two and three million.

Previously, Microsoft has denied that its software was vulnerable to attack or otherwise responsible for the flood of hacked sites. Instead, the company told developers and administrators to follow the company's guidelines to protect their sites from attack.

That stance hasn't changed, but Miller said Microsoft's customers have been asking for more help. "We have seen a recent rise in the number of SQL injection attacks," he acknowledged, "and we wanted to provide some tools and guidance to users so that they could deal with these attacks."

One of the two Microsoft tools came from the company's IIS (Internet Information Services) Web server developers. Dubbed "UrlScan," it's actually an updated version of a tool last refreshed in 2003, said Wade Hilmo, a senior development lead in the IIS group.

UrlScan, Hilmo added, can now scan query strings—not only a URL itself, as before—so that it can filter the malicious strings that power SQL injection attacks. But it's only a temporary stopgap meant to protect a site while developers go into the code to correct the problems being exploited. "This is only a mitigation," Hilmo cautioned.

It should block the bulk of attacks, however. "UrlScan can filter out all the known versions of the attacks we've seen this year," said Hilmo.

Microsoft's SQL Server team contributed the second Microsoft utility, "SQL Source Code Analysis Tool," which analyzes ASP.Net code and sniffs out vulnerable bits. APS.Net is Microsoft's Web application framework, and a major target of 2008's injection attack campaigns.

1 | 2 |next page »

Comments

More from IT Drilldown « Back to Security

Articles

Microsoft Promises to Stymie Hackers Next Week with New Patches

The Botnet World is a Booming World

New Spam Trick: Shortened URLs

IBM Security Software Masks Confidential Info

Verizon Helping Companies Assess Application Vulnerabilities

How to Use Electrical Outlets and Cheap Lasers to Steal Data

As Three Big iPhone Troubles Surface, Apple Dinged for Secrecy

France Creates New National IT Security Agency

Mobile Security ABCs

Get up to speed on mobile security.

Learn More »

Security Newsletter

Security MarketSpace

White Papers

Secure Training Videos to Prevent Theft

Learn how Dream Force extended their marketing reach without being constricted. Learn more »

Prevent Intellectual Property Theft

Learn what the key components were in Hock International's purchasing decision. Learn more »

Is Your PDF Security Software Really Secure?

Find out what security vendors might not be telling you about their products and solutions. Learn more »

Webcasts

Managing Client Systems in the Enterprise

Why Data Loss is Increasing--and What You Can Do About It

Maximizing the Business Value of the PC Infrastructure

Reduced IT budgets have CIOs hunting for ways to maximize their PC infrastructure, while saving money and IT staff time. Diane Bryant, CIO of Intel Corp., talks with CIO magazine's Gary Beach about how her organization is addressing these challenges. Learn more »