Menu
Microsoft, HP ship tools to protect websites from hackers

Microsoft, HP ship tools to protect websites from hackers

Microsoft and Hewlett-Packard Co. on Tuesday unveiled free tools to help Web developers and site administrators defend against the rapidly growing number of SQL injection attacks that aim to hijack legitimate sites.

"We released two new tools, and HP has released one, to help administrators discover flaws so that they can mitigate attacks," said Mark Miller, director of Microsoft's Trustworthy Computing product management.

The move is in response to a major upswing during the first six months of 2008 in the number of attacks targeting legitimate sites. Most of the hacks have used SQL injection attacks, and have compromised significant sites including ones operated by government agencies, the United Nations and major corporations.

In a report issued the same day, Finnish security company F-Secure estimated the number of pages hacked by SQL injection attacks so far this year at between two and three million.

Previously, Microsoft has denied that its software was vulnerable to attack or otherwise responsible for the flood of hacked sites. Instead, the company told developers and administrators to follow the company's guidelines to protect their sites from attack.

That stance hasn't changed, but Miller said Microsoft's customers have been asking for more help. "We have seen a recent rise in the number of SQL injection attacks," he acknowledged, "and we wanted to provide some tools and guidance to users so that they could deal with these attacks."

One of the two Microsoft tools came from the company's IIS (Internet Information Services) Web server developers. Dubbed "UrlScan," it's actually an updated version of a tool last refreshed in 2003, said Wade Hilmo, a senior development lead in the IIS group.

UrlScan, Hilmo added, can now scan query strings -- not only a URL itself, as before -- so that it can filter the malicious strings that power SQL injection attacks. But it's only a temporary stopgap meant to protect a site while developers go into the code to correct the problems being exploited. "This is only a mitigation," Hilmo cautioned.

It should block the bulk of attacks, however. "UrlScan can filter out all the known versions of the attacks we've seen this year," said Hilmo.

Microsoft's SQL Server team contributed the second Microsoft utility, "SQL Source Code Analysis Tool," which analyzes ASP .Net code and sniffs out vulnerable bits. APS.Net is Microsoft's Web application framework, and a major target of 2008's injection attack campaigns.

Fixes, however, must still be made manually by developers, said Bala Neerumalla, a software security developer in the company's SQL group.

Users shouldn't think that Microsoft is getting altruistic, said John Pescatore, an analyst with Gartner. "Don't fool yourself, if these attacks were only against, say, MySQL, they wouldn't be doing this." Rather, Microsoft is reacting to the uptick in attacks against ASP.Net code, he continued.

"This [SQL injection attack trend] really started when companies began looking at Web 2.0 and decided that they had to have things like social networking and blogging on their sites," said Pescatore. "A lot of those features were added and didn't go through the normal checks [for secure code]. That kind of tinkering leads to a loss of discipline."

Tools like these, added Pescatore, "rattle the doorknobs" of a site, like a city cop on a beat once did as he passed through his neighborhood. "Better for us to rattle them first," said Pescatore.

Also Tuesday, Hewlett-Packard's Web security team posted "HP Scrawlr" -- short for "SQL Injector and Crawler" -- to its Web site. Like "fuzzers" that researchers use to spot potential security problems in, for instance, file formats, HP Scrawlr analyzes Web pages for vulnerability to SQL injection attack, then reports its findings.

Microsoft unveiled its free tools in an advisory posted by the Microsoft Security Response Center, which included download links for UrlScan and SQL Source Code Analysis Tool.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftHPinternational news

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments