“Huge Web hack attack infects 500,000 pages - Microsoft's IIS Web server may be to blame, says researcher” read the headlines today.

But it looks like he’s jumped the gun with his finger pointing…  This particular attack like so many before it (but admittedly at a much higher scale than many previous attempts) is due to a compromise known as a SQL Injection Attack.

The vulnerability is due to poorly-written SQL code that does not properly examine user input from a Web page form and allows commands to be “injected” and execute directly against the database with the same privileges as the sites own code.

What scares the heck out of me though is it’s spread to half a million pages already (though one attack targeted at, say, a shopping site with 10,000 pages would rack up a pretty big number very quickly!) because it implies a lot of fairly sloppy code is in production and not being maintained very well.

This attack – typical symptoms include pages with the code <script src=http://www.nihaorr1.com/1.js> embedded somewhere on them – is particularly neat because it’s self contained… the server is hit with a modified URL, the code is injected and updates the server all in one hit (so very hard to look out for and track). Older injection attacks normally looked for a vulnerability and then came back to exploit it.

The researcher in question seems to have jumped to a conclusion looking for some sensational PR coverage – which does make me a little skeptical about any claims they make around the level of protection they can offer ;) SQL Injection attacks are equally likely for MySQL, Oracle, SQL Server or any other database if the queries you feed to them are not sanitized. It’s not a new problem, and there has been good advice around for a long time to help developers avoid the problem.

The Register has a good write-up outlining the scale of the problem, and how hard it’s going to be to clean up…

One thing that it does go to prove though is that for users you can’t really trust anywhere you visit on the web – there’s always a risk than an attack will find a way to compromise a page you think is safe. If you don’t keep your system up to date with security patches for your client operating system, and run current anti-virus / anti-malware / anti-spyware (call it what you will) then you’re taking more risks than you need to. Personally I’m a fan of OneCare but NOD32 is another really good package. If you don’t want to pay a few bucks for insurance AVG Free does a really good job.

Update Apr 27: Read the update from the Microsoft Security Response Center on this issue, some recommendations on how to avoid SQL Injection attacks and some more handy tips from Bill Staples (the head of the IIS team, so he should know what he’s talking about). Also if you want a good background on why security matters and should be part of the initial design, not some random after thought you should read this blog.

If you're interested in getting the latest One Care for a bit of a discount.... Costco Online are selling the (usually $39.99) package for $30 off - that's only $9.99 for a years protection for up to three machines.

Check it out at Costco before Jan 2 2008.

What is Windows Live OneCare?

The All-in-One Security and Maintenance Service for your Windows XP or Windows Vista-based PC

Windows Live OneCare helps protect your computer, and its automated optimization features keep your PC running at its speediest. OneCare even regularly backs up your important files. You get all this in one convenient package:

• Protection Plus, with its antivirus and antispyware scanners and managed, two-way firewall, helps protect your computer from viruses, worms, Trojan horses, hackers, and other threats. It runs continuously in the background, but you can scan individual files, folders, and even attachments you receive via Windows Live Messenger for viruses on demand. In addition, OneCare protects you from online scams and identity theft by ensuring you have Microsoft anti-phishing technology installed and enabled.

• Performance Plus regularly defragments your hard disk, removes any unnecessary files that can clog your PC, and helps make sure important security updates from Microsoft are installed efficiently and on time.

• Backup and Restore regularly copies your important files to CD, DVD, external hard drive, local network computer, and USB connected storage devices.

• Help Center includes email, chat, and phone support at no extra cost to subscribers.

I've got a couple of machines at home that I protect using OneCare. It's convenient, reliable and, unlike some other products I could mention, isn't a resource hog.

I was quite excited this evening to see that the team has released a pretty major update that improves the protection and optimization for both individual machines as well as a home network.

The update will roll out to existing users over the next few weeks so keep an eye out for it!

For more information, check out OneCare. If you're interested in a more corporate solution the bow-tie wearing chap in the office across from me pointed out that Forefront is its more enterprise focused cousin.