Mass Attack FAQ
A number of incompetent tech journalists and bloggers have spun this story as an attack against a vulnerability in Microsoft’s IIS web server. This link explains what really happened. Which seems to be the following:
- A number of incompetent web developers — there are many of them — made websites that don’t properly validate user input. The result is that crackers can input text strings that will execute SQL in these incompetent programmers’ databases.
- Some crackers created a program that finds websites vulnerable to these SQL injection attacks, and injects one specific SQL string. This string depends on features of Microsoft’s SQL server to inject data into tables without knowing exactly what the table schema looks like.
- This SQL, using SQL Server-specific features, puts some malicious javascript into tables in these websites’ databases. This javascript will then be output on these websites and fuck with vulnerable users in the bakground, without the end user or the website owner noticing if they don’t know where to look.
So, the attack uses faults made by stupid ASP programmers (who are making the same mistakes PHP programmers, Java programmers, and other web developers routinely do — fail to properly sanitize user input) to inject SQL into SQL Server databases, which happen to be used most commonly with MS’s IIS server, but is completely independent from it. They then use a feature (not a bug!) of SQL Server, which is normally completely sane since attackers aren’t supposed to be running SQL code at their own will, to inject dangerous javascript.
So who’s at fault here? Certainly not the programmers who made IIS. Not the programmers who made SQL Server either. Not Microsoft at all. It’s the developers who fail to make sure crackers can’t execute code at will in their databases. Oh, and the stupid journalists and bloggers who are blaming MS. For once, Microsoft is innocent.
