Is Microsoft at fault for Web site cracking spree?

Last week was a lousy week for Web site administrators. Depending on your expert of choice anywhere from just over a hundred-thousand to half-a-million plus Web pages had been hacked to turn this into malware-spewing portals.

Panda, the security company, suggested that a recently unveiled 'elevation of privilege' flaw that could be used on XP SP2, Vista, and, far more significantly, Windows Server 2003 and 2008 could be at fault. While the elevation of privilege vulnerability can't be used to gain full-control of a system, it can be used to get control of accounts that are often used to run Microsoft's IIS (Internet Information Services) custom applications. So, for example, if you're running a Web application that uses ASP.NET in full trust mode, your site is crackable.

Microsoft, however, is denying that this wave of attacks have anything to do with IIS or with this particular security hole. Instead, Bill Sisk, a communications manager at Microsoft's Security Response Center, said the attacks appeared to be ordinary SQL injection attacks.

OK, so whose fault is it then? Much as I like to pound on Microsoft, this time it doesn't seem to be their fault. Well, not entirely the boys from Redmond's fault anyway.

This attack, according to Dancho Danchev, an independent security consultant, "is very likely" to be aimed at IIS servers using SQL Server since only SQL Server "allows query stacking by separating the queries with a semicolon-this is crucial for a guaranteed compromise through a Web application." But, and this is important folks, the attack can only get to SQL Server in the first place if "the program that is being injected does not sanitize user supplied data." In other words, if your site is set to check if user entered information bears some resemblance to valid information your Web site can't be attacked.

Mind you, I'm not talking here about checking to see if the data is valid. I'm talking about such basics as making sure your site's first name field doesn't buy "DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300" followed by multiple other lines of hexadecimal code as a valid name to be passed on to SQL Server. That line of what appears to be nonsense, by the way, is the actual beginning of the SQL injection attack code.

That said, as security company F-Secure points out, "So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code."

True, but I think there's enough blame to go around. While I think lazy Web developers can take the lion's share, it also strikes me that Microsoft could do more with both IIS and SQL Server to make them more resistant to these kinds of attacks.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon