“Huge Web hack attack infects 500,000 pages - Microsoft's IIS Web server may be to blame, says researcher” read the headlines today.
But it looks like he’s jumped the gun with his finger pointing… This particular attack like so many before it (but admittedly at a much higher scale than many previous attempts) is due to a compromise known as a SQL Injection Attack.
The vulnerability is due to poorly-written SQL code that does not properly examine user input from a Web page form and allows commands to be “injected” and execute directly against the database with the same privileges as the sites own code.
What scares the heck out of me though is it’s spread to half a million pages already (though one attack targeted at, say, a shopping site with 10,000 pages would rack up a pretty big number very quickly!) because it implies a lot of fairly sloppy code is in production and not being maintained very well.
This attack – typical symptoms include pages with the code <script src=http://www.nihaorr1.com/1.js> embedded somewhere on them – is particularly neat because it’s self contained… the server is hit with a modified URL, the code is injected and updates the server all in one hit (so very hard to look out for and track). Older injection attacks normally looked for a vulnerability and then came back to exploit it.
The researcher in question seems to have jumped to a conclusion looking for some sensational PR coverage – which does make me a little skeptical about any claims they make around the level of protection they can offer ;) SQL Injection attacks are equally likely for MySQL, Oracle, SQL Server or any other database if the queries you feed to them are not sanitized. It’s not a new problem, and there has been good advice around for a long time to help developers avoid the problem.
The Register has a good write-up outlining the scale of the problem, and how hard it’s going to be to clean up…
One thing that it does go to prove though is that for users you can’t really trust anywhere you visit on the web – there’s always a risk than an attack will find a way to compromise a page you think is safe. If you don’t keep your system up to date with security patches for your client operating system, and run current anti-virus / anti-malware / anti-spyware (call it what you will) then you’re taking more risks than you need to. Personally I’m a fan of OneCare but NOD32 is another really good package. If you don’t want to pay a few bucks for insurance AVG Free does a really good job.
Update Apr 27: Read the update from the Microsoft Security Response Center on this issue, some recommendations on how to avoid SQL Injection attacks and some more handy tips from Bill Staples (the head of the IIS team, so he should know what he’s talking about). Also if you want a good background on why security matters and should be part of the initial design, not some random after thought you should read this blog.