Microsoft SQL Injection Security Advisory

Microsoft has released a security advisory in response to the rapid increase in SQL injection attacks that have happened lately. This advisory was released to assist Web site administrators in identifying SQL injection issues within their Web application code, and to provide temporary solutions to mitigate SQL injection attacks against the server. The full advisory can be found at http://www.microsoft.com/technet/security/advisory/954462.mspx

It’s good to see Microsoft release such an advisory with explicit details on how to mitigate current issues and avoid SQL injection in the future. We have seen too many applications vulnerable to SQL injection, no matter if they’re ASP, PHP, Perl, Ruby or anything else. If you’re an ASP developer be sure to read this advisory and implement the listed strategies when coding, if you haven’t already.

VMWare ESX and Java ASP Vulns, Akamai Exploit

Sun’s Java Active Server Pages version 4.0.2 contains multiple vulnerabilities. These vulnerabilities are numerous and could result in a variety of negative consequences; including remote system compromise, bypassing security restrictions, and manipulation of data. Sun has released version 4.0.3 that corrects the issues in 4.0.2.

VMWare ESX server versions 2.x and 3.x are vulnerable to information disclosure, denial of service, and in some cases remote system compromise. All administrators and users of VMWare should consider applying the vendor provided patches to their software. Full details can be found at http://www.vmware.com/security/advisories/VMSA-2008-0009.html.

The Akamai download manager contains and input validation error in its’ ActiveX control. This could result in system compromise or a denial of service when a user visits a malicious web page. The vulnerability affects versions 2.2.3.5 and prior. A working exploit has already been released. Update to version 2.2.3.7, available at http://dlm.tools.akamai.com/tools/upgrade.html