Microsoft denies fault in hacks
Microsoft is denying that a recent rash of Web server attacks are the company's fault.
In a blog posted late Friday night, Bill Sisk, of the Microsoft Security Response Center, wrote that the attacks are not due to any new or unknown security flaws in Internet Information Services or Microsoft SQL Server. Rather, he says, the attacks are made possible by SQL injection exploits, and he points Web developers to the company's list of best practices to prevent such attacks.
Ongoing attacks have affected half a million Web pages, compromising them so they serve up malware, according to several reports. The hacked sites include government sites in the U.K. and sites belonging to the United Nations.
All it takes for a computer to become infected is a visit to a compromised site. While viewing that site, the injected Javascript loads a file named 1,js. The file is located on a malicious server, which then attempts to execute eight different exploits targeting Microsoft applications.
Related story: Web 2.0, meet Internet attack 2.0
- Tags:
-
security,
-
Javascript injection,
-
Microsoft
- Bookmark:
- Digg
- Del.icio.us
"[attempt] to execute eight different exploits targeting Microsoft
applications."
Why do we in the computer industry atomatically blame the victim or the developer? Is this conditioning or our binary way of thinking or?
The real people who we should be blaming and going after is the malware writers (MalZ) and not Microsoft or Mozilla or McAffee.
We might also start blaming our governments as well for being so far behind in combatting this criminal behaviour.
When someone breaks into your house do you blame the contractor?
When someone steals your car do you blame Ford?
We have to stop this blame the developer mentality because it takes us way from what should be our main focus and that is finding and eliminating the MalZ that are attacking our systems. We need to either get our police forces to start catching these guys or we have to do it ourselves if they are unable or unwilling.
Microsoft has never told a lie, so that settles it then.
- 1.8 Million Infected Sites!
-
by Stating
April 27, 2008 8:18 PM PDT
- Google this: "1,js". This is a national security risk.
-
Reply to this comment
-
-
1 | 2 | Next 10 Comments >>Huge number of infected sites:
THE UNITED NATIONS (events.un.org/Edetail.asp?EventID=1055&BeginDate=1/22/2007)
United Methodist Church, Harcourt Publishers,
Bahrain Oil and Gas, West Virginia Wesleyan College, e-law, Wyoming Ranch Vacations, Wine Bars, Podcasts, Capacitor sales, Water Heater sales, Toyota dealers, RV parks, chiropracters, etc.
Here's a choice discussion:
"The script -www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db. I'm the accidental techie in my office, and I'm clueless as to the vulnerability in our code. After a restore, the site gets hit every other day. I've searched around and no one seems to have an answer to this specific problem. There's no doubt in my mind that our coding has a loophole in it somewhere, but I'm not sure what to look for."