Viral Scareware Infects Four Million Websites 71
oxide7 writes "A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon."
Re:Stupid (Score:4, Insightful)
Only people who've been thoroughly windows-indoctrinated could use terminology like that -- it actually means nothing at all, except "we don't know what we're doing here".
Re:more information (Score:4, Insightful)
First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server
Strictly speaking, that is true. However, SQL Server supports a multiple statement binding syntax that makes it uniquely vulnerable to these kinds of injections in poorly written programs - i.e. you can start a new SQL statement anywhere simply by injecting a semicolon followed by whatever SQL you like.
That is why if a SQL injection attack ever affects tens of thousands of sites, it is inevitably a poorly written SQL Server application. If I were Microsoft, I would add an option to turn the traditional syntax off, deprecate it for future use, and require block syntax to process multiple statements. That doesn't eliminate the problem, but it greatly reduces the possible attack surface, and the severity of the attacks that do get through.
Comment removed (Score:5, Insightful)