What is the purpose of this alert?

This alert is to notify you that Microsoft has released Security Advisory 954462 – Rise in SQL Injection Attacks Exploiting Unverified User Data Input - on 24 June 2008.

Summary

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

The purpose of Security Advisory 954462 is to assist Web site administrators in identifying possible issues with their Web application code being susceptible to possible SQL injection attacks and to provide a stopgap solution to mitigate SQL injection attacks against the server while the applications are being fixed.

Recommendations

Review Microsoft Security Advisory 954462 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources.

Additional Resources

· Microsoft Security Advisory 954462 – Rise in SQL Injection Attacks Exploiting Unverified User Data Input - http://www.microsoft.com/technet/security/advisory/954462.mspx

· MSRC Blog: http://blogs.technet.com/msrc

· Links to other documentation on SQL Injection and coding best practices

SQL Server Injection Protection

Preventing SQL Injections in ASP

Coding Techniques for protecting against SQL Injection

Filtering SQL Injection from Classic ASP

How To: Protect from SQL Injection in ASP .NET

Security Vulnerability Research & Defense Blog on SQL Injection Attack