Just weeks after a BusinessWeek Web site was hit by an SQL injection (define) attack, comes news that Adobe has had to deal with two of its Web sites compromised the same way.

“I can confirm that the Adobe sites were affected,” Richard Wang, manager of the US offices of security vendor Sophos Laboratories. Sophos discovered the compromised sites.

Adobe did not respond to requests for comment by press time. Wang said after Sophos contacted Adobe, the software company said issues at both of its Web sites had been cleaned up; a statement confirmed by Sophos in a follow up check that found them “clean” and no longer at risk.

Security experts told InternetNews.com that the increasing use of < a href=”http://www.internetnews.com/ec-news/article.php/3750786/Growing+Pains+for+Web+20.htm”>Web 2.0 capabilities are making such attacks commonplace, and that hackers are tweaking their tools to better hone their attacks.

One of the Adobe (NASDAQ: ADBE) Web sites infected was its Vlog It support section, an area providing tips for video bloggers. Sophos today notified users about this.

The other infected Adobe site Sophos discovered is Serious Magic. Adobe acquired Serious Magic, which produces high-quality video and communication software, in October 2006.

Security vendors have been watching the Asprox botnet closely because “we’ve seen the Asprox botnet changing,” Ryan Barnett, director of application security at Web security vendor Breach Security, told InternetNews.com. “When it came out, it targeted Microsoft-based Websites, with asp or asp.net on the front and Microsoft SQL Server on the back end.”

Now, “it doesn’t really matter what the front end Web technology is — PHP, Java, as long as you have a Microsoft (NASDAQ: MSFT) back end database with user permissions that are too wide and SQL query constructions that are not set up properly, you can get infected,” Barnett said.

Attacks on Microsoft-based Web sites with asp or asp.net were so common at one time that Microsoft issued an advisory on this in June. The problem, Microsoft said in the advisory, was with sites that “do not follow secure coding practices for accessing and manipulating data stored in a relational database.”

It’s all about SQL injections

“SQL injections are a huge problem, and they need to be addressed at the Web and database layers, and you need to encode the outbound data properly,” Barnett said. “Then there’s cross site scripting where the bad guys inject JavaScript (define) into a Web site somewhere so it executes when it goes out to client pages.”

Together, SQL injections and cross site scripting account for “about 60 percent” of all Web site attacks, Dave Marcus, director of security research and communciations at security vendor McAfee, told InternetNews.com. “They’re usually Number One and Number Two,” he added.

source: internetnews.com

No related posts.