Malware from mass SQL injections confirmed by security experts

Thursday, June 5, 2008 

Nearly 20,000 websites have been attacked by unknown malicious computer users using a technique known as an SQL injection. The attackers have inserted code to install malware onto visitors' computers. The code exploits a newly-discovered weakness in Adobe Flash Player, a very common web-browser plugin. The attacks prompted an investigation by the Taiwanese information security industry into the source of these attacks.

An SQL injection is a common method employed by malicious users to attack and deface websites, arising from website mistakes in checking user input. Attackers take advantage of these weaknesses to inject information of their choosing into the website. For example, in June of 2007, Microsoft UK found its webpage changed to a picture of the Saudi Arabia flag, an attack which was carried out using an SQL injection.

According to SecurityFocus, this most recent series of attacks stems from a vulnerability in versions 9.0.115.0 and 9.0.124.0 of Flash Player. It allows attackers to load any code they wish onto a computer running these versions of Flash.

As the vulnerability in Flash is newly discovered, Adobe has not yet released a newer version which fixes the problem. For the time being, computer security experts recommend that internet users with one of the unprotected versions of Flash disable the plug-in on Mozilla Firefox or Internet Explorer to prevent malicious users from gaining control over their computers.

The most recent version of the Flash Player, version 9.0.124.0, does not appear to be vulnerable to this exploit.

Wikipedia has more about this subject:

SQL injection

• Jim Clausing. "Followup to Flash/swf stories" — SANS Internet Storm Center Diary, May 28, 2008
• Brian Krebs. "Exploit In-the-Wild: Patch Your Flash Player Now" — Washington Post, May 28, 2008
• Ryan Naraine. "Adobe Flash zero-day exploit in the wild" — ZDNet, May 27, 2008
• Dan Goodin. "Attack code targets new Adobe Flash vuln" — The Register, May 27, 2008
• Gregg Keizer. "Hackers exploiting Flash Player zero-day bug" — Computerworld, May 27, 2008
• John Leyden. "Mass SQL injection hits English language websites" — The Register, May 21, 2008
• "Chinese websites under mass attack" — Heise Media, May 20, 2008
• Sumner Lemon. "Mass SQL Injection Attack Targets Chinese Web Sites" — IDG, May 19, 2008
• Tim Conneally. "Ten thousand servers hit in SQL injection hack" — BetaNews, May 19, 2008
• Andy Greenberg. "Where The Web Is Weak" — Forbes, May 14, 2008
  

Share this:

This page is archived, and is no longer publicly editable. Articles presented on Wikinews reflect the specific time at which they were written and published, and do not attempt to encompass events or knowledge which occur or become known after their publication. Got a correction? Add the template {{editprotected}} to the talk page along with your corrections, and it will be brought to the attention of the administrators. Please note that due to our archival policy, we will not alter or update the content of articles that are archived, but will only accept requests to make grammatical and formatting corrections. Note that some listed sources or external links may no longer be available online due to age.

This page is archived, and is no longer publicly editable. Articles presented on Wikinews reflect the specific time at which they were written and published, and do not attempt to encompass events or knowledge which occur or become known after their publication. Got a correction? Add the template {{editprotected}} to the talk page along with your corrections, and it will be brought to the attention of the administrators. Please note that due to our archival policy, we will not alter or update the content of articles that are archived, but will only accept requests to make grammatical and formatting corrections. Note that some listed sources or external links may no longer be available online due to age.