We just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it:
Roger
I posted yesterday on the Safari flaw (Why Apple has to fix the Safari flaw) as Apple did not acknowledge that this is a security vulnerability. Unfortunately we had now to release an advisory for this as we started to see that the bad guys could use this "feature" to attack machines – we are calling it a blended threat.
I just wanted to make sure you saw it: Microsoft Security Advisory (953818) - Blended Threat from Combined Attack Using Apple's Safari on the Windows Platform
Roger
Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did not really start with this at the beginning.
Just as an example, The Washington Post published an article called: Hundreds of Thousands of Microsoft Web Servers Hacked and said Hundreds of thousands of Web sites […]have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Whereas the first part was true ("just" giving a wrong impression) the content in the article was definitely wrong as it was (and still is) no Windows or IIS vulnerability but just bad programming.
What we see are tools that use Google to find web application with potential SQL Injection vulnerabilities and then try to attack them. From there on, they are trying to use the SQL Injection flaw to exploit vulnerabilities in Flash or other software.
So, what can you do about it?
Understand the current threat and read SQL Injection Attacks on IIS Web Servers on our IIS Blog and Questions about Web Server Attacks on the Microsoft Security Response Center Blog. Once you have done that I think (if you are not already) you should familiarize yourself with these kind of attacks and there are some very good resources and engineer at Microsoft compiled for you:
General Guidance on SQL Injection:
Incident Response with focus on SQL Injection:
And last but not least some MSDN guidance:
Roger
Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it?
Now, we can debate on what a vulnerability is and what not. Personally I am convinced that a vendor should be transparent when it takes a bug as a vulnerability and when not. There is actually a good essay by Scott Culp about this called Definition of a Security Vulnerability.
Why am I telling this? Well, there seems to be a disagreement between Apple and the rest of the world whether Safari's Carpet Bombing flaw is a security vulnerability or not. Robert Hensing posted already last week on that (Safari "carpet bombing" Fail Open Goat Award) and ZDnet took it up yesterday as well (Why Apple must fix Safari 'carpet bombing' flaw immediately). And I quote: […]but when it comes to responding to legitimate security threats, Apple is light years away from living up to the messages in those commercials(they are referring to the statement Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one in the Security Tab of Apple's Safari Page)
Remember the days of the "Unbreakable" ads (I know it was not Apple but goes in the same direction).
These are exactly to kind of discussions which do not really help to address security as an industry nor to promote responsible disclosure…
Roger
I just read this essay by Bruce Schneier: How to Sell Security. This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the "mechanics" about it.
Roger