Archive for May, 2008

Tsunami
SANS is reporting a new wave of the mass SQL injection automated attack against MS ASP + MS SQL Server web sites.

To my surprise and disappoint, first commenter on the SANS diary entry wrote:

If you're using Firefox, exploited sites may reach out and "touch" you even before you look at cached pages, unless you've manually disabled "network.prefetch-next" in "about:config" Check out http://www.google.com/help/features.html#prefetch for more information.

Such a statement is either misleading or plain wrong (depending on what you mean by "touch"), since no remote code gets executed when pages are prefetched: the raw content is are just stored in cache for faster access, and cannot do any harm.
Furthermore, if you're using Firefox you're immune from exploits targeted to Internet Explorer vulnerabilities, which are a very common payload, and if you're running NoScript you won't be "touched" by any part of this attack: the initial malicious script of the chain is prevented from loading, and even if it wasn't, the plugin-based exploitation attempts would have been blocked anyway.

On a side note, I've updated the post-mortem cleanup SQL script I attached with no guarantee in my previous post for site administrators, after reader Scott reported that it was not working properly. Now it's debugged and "tested" on SQL Server 2005 (should work on other versions as well).

But again: if you own a web site, a serious code review to eliminate SQL injection opportunities is mandatory, unless you want your site to get reinfected on next round. It's happening right now...

As I can easily tell by looking at flashgot.net and noscript.net Apache logs, every day the blogosphere gets flooded by copycat articles about "Top 5 Firefox Extensions" or "Best 10 Add-ons".
Yesterday, though, I've been pleased by a slightly different variation: Keeping Safe on the Web: 8 Firefox Addons for Privacy and Security.

  • Once in a while, this is not just a rehash of an AMO category, like recommended or popular.
  • Its items count is a power of 2, rather than banally a divisor or a multiplier of 10 ;)
  • It features two often neglected extensions by Stanford University, Safe History and Safe Cache, which can effectively mitigate some interesting attacks on our privacy. Any web page can quite easily discover if we've visited certain sites by exploiting our navigation history visual feedback or the performance differences caused by our cache. Most people don't know or don't care, but such a vulnerability may be critical if you're under an oppressive regime or you're an interesting blackmail target. Even if these two extensions impose some usability and performance burden (SafeHistory, for instance, scans all the links of a page to "artificially" color them as visited only if they've been previously followed from the same site, and this can cause a noticeable unresponsiveness where links are a lot), they're the best defense we've got -- other than clearing both cache and history every time we navigate to a new site -- until these bugs (affecting all the major browsers) are fixed.

Thanks to Dave Drager for the useful reminder.

Bad Behavior has blocked 811 access attempts in the last 7 days.