Saturday, July 12, 2008

Slam these SQL Injection Attacks!

In January 2003, the Microsoft SQL Server community got a massive wake-up call. The SQL Slammer hit the internet. This denial-of-service virus brought down many database servers including those at Bank of America and Microsoft itself. The solution was to apply SQL Server 2000 SP3 which by pure coincidence had been released 10 days earlier. The actual hotfix had been available for 6 months or more but in those days many DBAs just waited for the next Service Pack. Big mistake! Attacks like this prompted Bill Gates to launch the Trustworthy Computing initiative and current project plans were elongated by 3 months to allow product teams to focus on security. Products under development included Windows Server 2003, Exchange 2003 and SQL Server 2005 - they all benefited from this "strategy".

But what about SQL Injection attacks?

SQL Injection attacks take advantage of poorly coded applications by submitting hidden code "injected" into a seemingly harmless piece of code. The solution is to make sure input fields from an application are fully validated including checking for special characters before they are used in SQL commands. Recently, this vulnerability has emerged in many ASP applications so Microsoft have produced a utility that will check ASP code for potential vulnerabilities.

Microsoft Source Code Analyzer for SQL Injection:

Check it out!

SQL Server 2008 may not come in August after all

Microsoft SQL Server is a relational database management system whose primary query language is Transact-SQL. The latest version of the Microsoft database platform is Microsoft SQL Server 2005 SP2, but Microsoft has for a while now been working on what was previously codenamed Katmai. Microsoft is planning to release the long-awaited Microsoft SQL Server 2008 (overview) sometime during the third quarter of this year.

At the Microsoft Worldwide Partner Conference, the company announced to partners that the new version is now listed on the August price list. Pricing is to remain the same as it is with SQL Server 2005. Various news sites took this information and ran with it: many began to report that SQL Server 2008 was becoming available in August, but this is not necessarily true.

Microsoft is still expecting the new version to arrive sometime in Q3. As Andrew Fryer put it on his blog: "Bottom line—It will be out sometime in Q3 when it’s ready," the fact that it is available on August's price list does not guarantee that it will become available then. It is entirely possible that the new version will launch just at the end of Q3 (late September), and even then, you can never rule out delays with Microsoft. Currently, the latest build is RC0 (released in early June). Once it is finally released, Microsoft has previously said that SP3 for SQL Server 2005 will arrive, hopefully in Q4.