So the past few weks have been rough on Microsoft and on Adobe. First, a flaw in Microsoft SQL Server allows ASP sites to be compromised by a general SQL injection attack; then a flaw in the Adobe Flash player allows a miscreant to hijack the Web browsers of people with the Flash plugin installed.
In both cases, the vulnerabilities have been exploited to try to redirect surfers to a Web site at www.dota11.cn, which hosts a malicious script that tries to infect users’ computers with a virus.
That’s the old news.
The funny news–and believe me, I think this is fucking hysterical–is that one of the Web sites clobbered by the SQL injection attack is redmondmag.com, a Web site that is “the independent voice of the Microsoft IT community.” It’s a pro-Microsoft, look-how-great-we-are “news” site that has been so massively infected that…
uh…
…well, if you Google it, Google gives you a “this site may harm your computer” warning.
Many of the infected Web pages are pages about computer security–or, at least, apologies for Microsoft products masquerading as articles on computer security.
I know, I know, the real assholes here are the hackers, but still…goddammit, I can’t stop laughing.
That is high-larious.
I can’t believe it’s the Amazing Year 2008 and SQL injections still happen.
Web apps have been prevalent for long enough by now that we should have seen two levels of fixes become entrenched.
First, everyone who’s been programming for more than a year should know that building a SQL statement as a string that includes variables that come from user input is something you only do when you’re the only user. That’s pretty straightforward in Java and .Net, anyway.
Second, there has been plenty of time for the database vendors to expand their security systems to support the needs of a web system (many logical connections over each TCP connection with specific user tracking, and some way to link web page permissions into the usual SQL GRANT system). We should not have to use database connections with more rights than the user has, or maintain a second security system apart from the database’s. The first approach will suffice, but it’s just a band-aid.
We see the same thing with strings. Everybody yells about doing bounds checking, but the fact of the matter is, using null-terminated strings in the first place is playing with fire.
Nonsense, null-terminated strings are perfectly fine in the right environment. Like most things in life, it’s left to an exercise to the reader/implementor to determine what that environment is. If you want to tumble and do gymnastics while carrying a scimitar, you need to be willing to accept the risk of chopping yourself off at the knees due to a misstep.
I have no pity for people who can’t properly sanitize their data or learn and respect the underlying framework and strictures of their chosen development environment.
That is high-larious.
I can’t believe it’s the Amazing Year 2008 and SQL injections still happen.
Web apps have been prevalent for long enough by now that we should have seen two levels of fixes become entrenched.
First, everyone who’s been programming for more than a year should know that building a SQL statement as a string that includes variables that come from user input is something you only do when you’re the only user. That’s pretty straightforward in Java and .Net, anyway.
Second, there has been plenty of time for the database vendors to expand their security systems to support the needs of a web system (many logical connections over each TCP connection with specific user tracking, and some way to link web page permissions into the usual SQL GRANT system). We should not have to use database connections with more rights than the user has, or maintain a second security system apart from the database’s. The first approach will suffice, but it’s just a band-aid.
We see the same thing with strings. Everybody yells about doing bounds checking, but the fact of the matter is, using null-terminated strings in the first place is playing with fire.
There is nothing that could happen to Microsoft and or their shills that is too bad. That’s just me though…
No no, it’s definitely not just you. 🙂
There is nothing that could happen to Microsoft and or their shills that is too bad. That’s just me though…
Nonsense, null-terminated strings are perfectly fine in the right environment. Like most things in life, it’s left to an exercise to the reader/implementor to determine what that environment is. If you want to tumble and do gymnastics while carrying a scimitar, you need to be willing to accept the risk of chopping yourself off at the knees due to a misstep.
I have no pity for people who can’t properly sanitize their data or learn and respect the underlying framework and strictures of their chosen development environment.
No no, it’s definitely not just you. 🙂
Oh, that is a tasty nugget!
I’ve got two brothers at Microsquish right now. One is even-handed about his employer, very meh. The other, though, has been there longer and seems to take any criticism of Bill’s Playhouse with umbrage, as if attacking MS is attacking him.
I don’t understand it, but it seems to infect their culture; he isn’t the only one. This is confirmed by several ex-Softies with whom I converse. Their culture will not allow criticism. It’s very strange.
Oh, that is a tasty nugget!
I’ve got two brothers at Microsquish right now. One is even-handed about his employer, very meh. The other, though, has been there longer and seems to take any criticism of Bill’s Playhouse with umbrage, as if attacking MS is attacking him.
I don’t understand it, but it seems to infect their culture; he isn’t the only one. This is confirmed by several ex-Softies with whom I converse. Their culture will not allow criticism. It’s very strange.