Microsoft, HP ship tools to protect Web sites from hackers

Three tools help sites ward off growing SQL injection attacks

Microsoft and Hewlett-Packard on Tuesday unveiled free tools to help Web developers and site administrators defend against the rapidly growing number of SQL injection attacks that aim to hijack legitimate sites.

"We released two new tools, and HP has released one, to help administrators discover flaws so that they can mitigate attacks," said Mark Miller, director of Microsoft's Trustworthy Computing product management.

The move is in response to a major upswing during the first six months of 2008 in the number of attacks targeting legitimate sites. Most of the hacks have used SQL injection attacks, and have compromised significant sites including ones operated by government agencies, the United Nations and major corporations.

In a report issued the same day, Finnish security company F-Secure estimated the number of pages hacked by SQL injection attacks so far this year at between two and three million.

Previously, Microsoft has denied that its software was vulnerable to attack or otherwise responsible for the flood of hacked sites. Instead, the company told developers and administrators to follow the company's guidelines to protect their sites from attack.

That stance hasn't changed, but Miller said Microsoft's customers have been asking for more help. "We have seen a recent rise in the number of SQL injection attacks," he acknowledged, "and we wanted to provide some tools and guidance to users so that they could deal with these attacks."

One of the two Microsoft tools came from the company's IIS (Internet Information Services) Web server developers. Dubbed "UrlScan," it's actually an updated version of a tool last refreshed in 2003, said Wade Hilmo, a senior development lead in the IIS group.

UrlScan, Hilmo added, can now scan query strings -- not only a URL itself, as before -- so that it can filter the malicious strings that power SQL injection attacks. But it's only a temporary stopgap meant to protect a site while developers go into the code to correct the problems being exploited. "This is only a mitigation," Hilmo cautioned.

It should block the bulk of attacks, however. "UrlScan can filter out all the known versions of the attacks we've seen this year," said Hilmo.

Microsoft's SQL Server team contributed the second Microsoft utility, "SQL Source Code Analysis Tool," which analyzes ASP .Net code and sniffs out vulnerable bits. APS.Net is Microsoft's Web application framework, and a major target of 2008's injection attack campaigns.

Fixes, however, must still be made manually by developers, said Bala Neerumalla, a software security developer in the company's SQL group.

Users shouldn't think that Microsoft is getting altruistic, said John Pescatore, an analyst with Gartner. "Don't fool yourself, if these attacks were only against, say, MySQL, they wouldn't be doing this." Rather, Microsoft is reacting to the uptick in attacks against ASP.Net code, he continued.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?