I will be getting back to the "Day in the Life of the DBA" series of posts, but I got this from the security folks today and thought I would share it:
Today the MSRC in collaboration with SQL Server, IIS, and Hewlett Packard published Microsoft Security Advisory 954462 (link) announcing a set of tools that customers can use to defend themselves against SQL injection attacks against their ASP websites and identify and mitigate their root ASP code vulnerabilities. This is a follow on to the blogging referenced below that provided guidance on addressing these same issues. The toolset provides customers with automated assistance in defending against these attacks and correcting the root cause. Any future communications regarding these attacks should direct customers and field personnel to this advisory.
The following three tools are available for immediate download:
· Microsoft Source Code Analyzer for SQL Injection (link)
o New static analysis tool that identifies SQL injection vulnerabilities in ASP source code and suggests fixes. Enables customers to address the vulnerability at the source.
· URLScan 3.0 (link)
o Updated version of the IIS tool that acts as a site filter by blocking specific HTTP requests. Can be used to block malicious requests used in this attack.
· Scrawlr (link)
o New scanning tool from Hewlett Packard that scans websites looking for SQL injection vulnerabilities in URL parameters.
There are links to additional content within the advisory, as well as a number of supporting blogs:
IIS Blog 2
Stopping SQL Injection in its Tracks Highly recommended if you are running ASP or IIS.
Quem trabalha com bases de dados, sabe muito bem o tamanho do problema que este tipo de ataque representa.