29 April 2008

500,000 Microsoft-Powered Sites Hit With SQL Injection

A new SQL injection attack aimed at Microsoft IIS web servers has hit some 500,000 websites, including the United Nations, UK Government sites and the U.S. Department of Homeland Security. While the attack is not Microsoft's fault, it is unique to the company's IIS server.

The automated attacked takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require a specific table level argument. However, the vulnerability is the result of poor data handling by the sites’ creators, rather than a specific Microsoft flaw.

In other words, there’s no patch that’s going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input.

The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user’s PC.

Most of the larger sites affected have already long since repaired themselves and claim that the underlying problems in their code have been fixed. However, if you don’t want to take the chance there’s a simple way to avoid the problem — use Firefox with NoScript. Since the attack loads a script from a different domain, NoScript will stop it from running.

If your site has been affected you’re going to need to restore your database from a clean backup copy and start reviewing your code to make sure all input is properly sanitized, otherwise you’ll just get hit again. Should you not have a clean backup of you database hackademix.net has a workaround for rerunning the attack, but changing a couple lines to remove the injected JavaScript.

"A vulnerability in a network will allow a malicious user to exploit a host or an application. A vulnerability in a host will allow a malicious user to exploit a network or an application. A vulnerability in an application will allow a malicious user to exploit a network or a host."
— Carlos Lyons, Corporate Security, Microsoft

24 April 2008

Sun to Fully Open Source Java

Dionysius, God of Wine and Leaf brings news that Sun Microsystems will be removing the last restrictions on Java to make it completely open source. Sun wants Java to be easily available for use in Linux distributions. We've discussed the steps Sun has taken to open-source Java over the past couple years. From Yahoo! News: "'We've been engaging with the open-source community for Java to finish off the OpenJDK project, and the specific thing that we've been working on with them is clearing the last bits that we didn't have the rights,' to distribute, Sands said. 'Over the past year, we have pretty much removed most of those encumbrances.' Work still needs to be done to offer the Java sound engine and SNMP code via open source; that effort is expected to be completed this year. Developers, though, may be able to proceed without a component like the sound engine, Sands said.