Microsoft distances itself from SQL attack

30 Apr 2008 | 08:28 BST

By Nick Farrell

SOFTWARE GIANT Microsoft claims that the latest SQL injection attack, which has so far walloped nearly 500,000 web pages, is nothing to do with its glorious IIS webserver.

The attack injects some dodgy JavaScript into every text field in a database and involves downloading an external script that can compromise a user's PC.

A SpokesVole has rushed to distance Redmond from responsibility for the flaw which it places at the feet of developers who failed to follow security practices for handling database input.

Vole said that there was going to be no patch to fix the problem, it was just up to developers to be a tad more careful.

However, according to Wired, one of the problems is that IIS is poorly wired. It allows the use of generic commands that don't require specific table-level arguments.

Most of the major sites which have suffered from the fault have apparently gone in and fixed the hole themselves up by tinkering with their databases.

Punters who do not trust sites to fix themselves can stuff up the attack by running Firebadger with the 'noscripts' addon running. µ

L'Inq
Wired

© 2007 Incisive Media Investments Ltd. 2007