Security Advisor

SQL Injection Hits Older SQL Server Versions, For Now

• By Jabulani Leffall
• 04/05/2011

Tell me if this sounds familiar: A new SQL injection attack affecting as many as 1.5 million Web address has database application and security admins talking this week. The attacks affect SQL Server versions 2000 and 2005, while SQL Server 2008-based sites are safe for now.

The latest attack has been dubbed LizaMoon after the URL from which the injection was launched. If you're curious, know that the real lizamoon.com will only produce Google results about the attacks.

SQL injection attacks take place when malicious code, embedded at the app or database level insinuates itself into routine queries of the target Web site's database. Be sure to check the URL address bar of your browser of choice when visiting a vulnerable Web site.

Redmond released this statement regarding the attacks over the weekend:

"Microsoft is aware of reports of an ongoing SQL injection attack. Our investigation has determined these sites were exploited using a vulnerability in certain third-party content management systems. This is not a Microsoft vulnerability."

Even so, SQL server technology is being exploited and incursions are happening during Internet Explorer sessions, which in turn are taking place on Windows OSes only. So if this is not a Microsoft "vulnerability," it could reasonably be described as a Microsoft "issue," as Websense and other security experts have pointed out.

The best ways to nip SQL injections are to tighten up security in custom application code. Next, control access privileges to the enterprise database at the application level. And then, at the server level, use server logs to monitor HTTP requests.

Microsoft Reports on SDL Progress
Microsoft has been serious about working with customers, users, developers and admins on integrated security at the program development level. And rather than reacting to threats, the software company has been drumming its proactive approach, the Security Development Lifecycle, into the conciousness of Windows coders since inception.

With that, Microsoft released its first Security Development Lifecycle Progress Report, which details the history and progress of SDL, as well as case studies of how the SDL program is taking hold in the enterprise space.

Outlining what's at stake with the report and SDL for Redmond, Microsoft's SDL Program Manager David Ladd blogged that Microsoft is "seeing an uptick in the number of attacks that are unique and complex," and he added that the days of easy-to-find vulnerabilities were "over."

Symantec's Sobering Findings
Since we're talking reports, just this morning Symantec released its Internet Security Threat Report, Vol. 16, covering the 2010 calendar year. Among the key findings:

New threats emerging last year reach 286 million. Symantec says "polymorphism" among malware entities and "new delivery mechanisms" such as Internet-based toolkits continue to push up the number of distinct threats to a pace where, pretty soon, there will be one unique malicious program for each of America's 300 million-plus citizens.

Web attacks increase by 93 percent. The aforementioned toolkits pushed the volume of Web attacks to nearly double from 2009 according to Symantec. Additionally, the use of corrupt TinyUrl or BitLY Web address shorteners as links on social media sites also impacted this increase.

More than 260,000 identities exposed per breach. A little more than 260,000 personally identifiable information profiles were exposed on average with each data breach that came as the result of a hack in 2010. A quarter million profiles exposed is nothing to sneeze at.

14 new zero-day vulnerabilities. That figure may on its face seem small, but when you're talking about a brand new bug, affecting large operating systems such as Windows and large applications like IE, a pace of one-zero day a month comes in to a more clear focus. Symantec reports that vulnerabilities playing a key role in targeted attacks include Hydraq and Stuxnet, which gave Windows IT pros and security generalists the same fits that Conficker did in 2009. It's important to note that Stuxnet alone used four different zero-day vulnerabilities.

Mobile vulnerabilities. If 2011 is truly the year that smartphones with the computing power of a PC begin to become an enterprise staple, then check this out: Mobile bugs were up 42 percent in 2010. Symantec says "the number of reported new mobile operating system vulnerabilities increased, from 115 in 2009 to 163 in 2010." Hackers have always been mobile and anonymous in character. Now, the attack vectors are mobile.

Historic number for 'new' bugs. This is a key takeway from today's report: Symantec had documented more 6,253 vulnerabilities from last year, which is more "than in any previous reporting period." When you have nearly 300 million threats on a little more than 6,200 bugs, it's clear that cybersecurity priorities will need to continue to shift into higher gear.

We've all got our work cut out for us in 2011.

[Editor's Note: 4/7 - Corrected SQL Server version.]