First of all, this is not new. My logs have shown attempted attacks like this for over a month.
Second, the attack vector is not simply requesting parameters and passing them to the database; the code is sent as part of the querystring, which the server parses causing the code to be executed which appends the script call into most text fields in your database, in every record.
Default validations do NOT catch all the attempts, certainly most, but the odd one does get through validation - at this point, it doesnt matter how you coded your queries, as long as you have tables with text fields you are just as screwed - the code simply hits every table. Again, you do NOT have to pass this code to the database in your script to be vulnerable
There are modules to beef up the validation, and they work well to prevent this, but you dont have to be an idiot to be hit - and I resent that statement.
And yes, I operate a couple dozen sites across a number of servers and can see this activity clearly in my logs and have one or two successful attacks on fully patched servers to draw my information from.
When I read this a situation that I ran into in January came to mind.
A couple of our regular customers come in to upgrade both of their machines (each parent had one - neither of the two low-end by any means). They priced out about 1500 dollars worth of parts and openly debated about maxing their (only) credit card out on the parts..
Normally, this wouldn't bother me - not any of my business how they pay, so long as they do.
Then, however, after deciding to go ahead and buy the parts - they start going on about how the husband was laid off in December and still hadn't found work - AND THAT THEY HADNT BEEN ABLE TO AFFORD ANYTHING FOR THEIR KIDS FOR CHRISTMAS less than two weeks before.
They're reason: If they dont keep up with WoW they may get kicked out of their Guild!
It may be none of my business, but I'm a parent myself and this just sickens me. I finally ended up having sudden 'stock shortages' and found a way to talk them out of the parts, but still...
I do both in-home and in-store service, and I see a LOT of bootleg Windows and Office installations. As a professional, I feel that it's my responsibility to at least make sure the customer is aware that their installs aren't legal. I don't take it any further then that as it isn't any of my business; Though I will absolutely not install a bootleg for a customer (If they don't want to buy Windows I suggest Ubuntu, if they don't want to buy office, I suggest OpenOffice).
There is at least two shops in town here where they will sell a computer with Windows, charge for Windows then install a bootleg; and I can tell you that most people get rather pissed off when they find out they didnt receive what they paid for.
When my shop sells any new system, my techs go over the machine before it leaves the building - the first thing I have them do is remove the crapware (including the Norton trial most come with), load Avast if they dont have their own AV, install Spybot, windows updates. The idea is that the user can take full advantage of the system from the moment it leaves the store.
I've been using Vista for a while now (I need to know it for work) and have followed the SP1 saga for some time - and from a lot of the posts above, I seem to be one of very few...
There are a handful of drivers (there is a list on technet I believe, but Im too lazy to dig a link up, but check one of the first posts in the last SP1 post on slashdot) which for one reason or another install themselves in such a way as SP1 makes them inoperable. The solution is to reinstall the drivers after SP1. Microsoft is trying to make this smooth - with Vista's reputation, what do you think would happen when Joe Public installs an update and their sound driver goes bad? Simple solution or not it is only going to hurt the reputation further.
It is very good to see that at least SP1 backs out cleanly when it sees it cannot complete the update, and from what I have read and heard from customers (mainly Joe Public types) that SP1 is installing without real issue for the majority of people. Personally, I installed last night without any issues - I actually noticed that my machine feels more responsive in a number of areas.
With that said, it is a service pack.. sometimes there are compatibility issues, look at XP SP2 when it came out but nobody bitches about that anymore; if the negative impact is minimized, then good for them.
Put away your pitchforks for once.. I've had enough updates on my Linux boxes go wrong that I find the "Evil Microsoft, Linux perfect" comments being hypocritical - but then, this IS slashdot..
(I know I'll be modded into oblivion because of that last comment, but I had to say it)
Really.. When I was younger I told my parents what all my email addresses were, and I would never have created a new hotmail, etc address without telling them......
In my experience; if you do the install with a Dell OEM cd, the code on the COA will activate just fine. If you use a different CD (retail, other OEM, etc) then you have to phone activate.
Message to Grandparent Poster:
Your not seriously calling the phone activation system "complicated" are you? Pain in the butt? Yes. Complicated? No.
Wont work with an OEM Key, but it does work for retail keys -> I've successfully changed several keys for customers of mine using this tool (you DO need a legit key though).
I worked at a Tim Hortons (big Canadian Coffee chain for those who dont know); and our coffee was brewed at about 190 degrees (the Tea is just under 200).
I saw a pot break while one of my staff members was about to pour a coffee, and got nearly a full pot down the inside of her upper thighs resulting in 3rd degree burns.
With that said though, at one time, one of our warmers was broken and the coffee was served at about 160 degrees - you wouldnt believe the number of complaints about the coffee being too cold..
Your not honestly going to say that you don't think that antivirus / antispyware is a good thing to have on a machine used by the type of person who will click OK to everything they see?
A firewall is useful on any system (not just Windows), and anyone storing data on their machine and NOT doing some kind of data backup (at least for the important data) is crazy.
As for the performance tune-ups, it really just puts the common tools into one place (defrag, clear temp files, etc)
The problem is (as proven by Webroots suite against MS about Windows Defender being integrated into Vista) that if they DID integrate it, all the AV vendors (and a number of Slashdotters) would scream ANTITRUST!
Anyways; how many virus infections are caused by user stupidity and not necesarilly flaws in the OS? As long as users put their computers online and click YES to everything that pops up, there will be people who exploit that.
Agreed, users running as Admin all the time is not well thought out; But as people have stated before this is somthing that has been going on since before Viruses were a real threat and had to be grandfathered in so as not to break all the users software (also, admittedly lazy programming on the s/w vender's parts). Since MS is changing that model in Vista (if and when it ships), I'd say they're at least working towards a tighter security model.
I used the OneCare beta for quite a while (actually a good product IMHO).. But the subscription service started at the beginning of the month... Slashdot is a little late in reporting it..
On a side note; I did stop using OneCare when I tried to pay for the subscription (reduced rate for beta users) only to see (for the first time) U.S. Only, with international support at some point in the future (a year?).
Anyways.. my $0.02
I would have to disagree. I'm a fairly recent College Grad, and me course included both COBOL and RPG. Though, the reasoning is that most of the COBOL programmers will be retiring, and someone needs to do it..
Well.. when I think about it again.. maybe I don't disagree all that much...
show me an article where a 'fundie' screames 'For Jesus!' and blows him/herself up + anyone nearby...
I dont know about blowing themselves up... but I seem to remember this thing called the crusades....
Anyone who believes somthing so strongly that everyone who disagrees is wrong or a sinner or yadda yadda (and refuses to even hear opposing points of view) - can be dangerous.
Although I agree that at the teenage level IM and cell phones are the primary means, but in my experience the business world relies on email much more than IM (IM is actually pretty rarely used). The exception being video conferences using software like NetMeeting (shudder), but I wouldn't call that an IM service.
Slashdot Mirror
First of all, this is not new. My logs have shown attempted attacks like this for over a month.
Second, the attack vector is not simply requesting parameters and passing them to the database; the code is sent as part of the querystring, which the server parses causing the code to be executed which appends the script call into most text fields in your database, in every record.
Default validations do NOT catch all the attempts, certainly most, but the odd one does get through validation - at this point, it doesnt matter how you coded your queries, as long as you have tables with text fields you are just as screwed - the code simply hits every table. Again, you do NOT have to pass this code to the database in your script to be vulnerable
There are modules to beef up the validation, and they work well to prevent this, but you dont have to be an idiot to be hit - and I resent that statement.
And yes, I operate a couple dozen sites across a number of servers and can see this activity clearly in my logs and have one or two successful attacks on fully patched servers to draw my information from.
Actually, first of all - the kids were present. Second - if you read my post, they were regulars and did speak with us on that level often.
Dont go on like that unless you read the post your going on about.
When I read this a situation that I ran into in January came to mind.
A couple of our regular customers come in to upgrade both of their machines (each parent had one - neither of the two low-end by any means). They priced out about 1500 dollars worth of parts and openly debated about maxing their (only) credit card out on the parts..
Normally, this wouldn't bother me - not any of my business how they pay, so long as they do.
Then, however, after deciding to go ahead and buy the parts - they start going on about how the husband was laid off in December and still hadn't found work - AND THAT THEY HADNT BEEN ABLE TO AFFORD ANYTHING FOR THEIR KIDS FOR CHRISTMAS less than two weeks before.
They're reason: If they dont keep up with WoW they may get kicked out of their Guild!
It may be none of my business, but I'm a parent myself and this just sickens me. I finally ended up having sudden 'stock shortages' and found a way to talk them out of the parts, but still...
My suppliers are saying that at least in the near future it should be available, but I plan to stock up this week just in case.
I do both in-home and in-store service, and I see a LOT of bootleg Windows and Office installations. As a professional, I feel that it's my responsibility to at least make sure the customer is aware that their installs aren't legal. I don't take it any further then that as it isn't any of my business; Though I will absolutely not install a bootleg for a customer (If they don't want to buy Windows I suggest Ubuntu, if they don't want to buy office, I suggest OpenOffice). There is at least two shops in town here where they will sell a computer with Windows, charge for Windows then install a bootleg; and I can tell you that most people get rather pissed off when they find out they didnt receive what they paid for.
Not all of DC, just the Capitol building - though I always enjoy pointing that out to my American colleagues...
When my shop sells any new system, my techs go over the machine before it leaves the building - the first thing I have them do is remove the crapware (including the Norton trial most come with), load Avast if they dont have their own AV, install Spybot, windows updates. The idea is that the user can take full advantage of the system from the moment it leaves the store.
I've been using Vista for a while now (I need to know it for work) and have followed the SP1 saga for some time - and from a lot of the posts above, I seem to be one of very few...
There are a handful of drivers (there is a list on technet I believe, but Im too lazy to dig a link up, but check one of the first posts in the last SP1 post on slashdot) which for one reason or another install themselves in such a way as SP1 makes them inoperable. The solution is to reinstall the drivers after SP1. Microsoft is trying to make this smooth - with Vista's reputation, what do you think would happen when Joe Public installs an update and their sound driver goes bad? Simple solution or not it is only going to hurt the reputation further.
It is very good to see that at least SP1 backs out cleanly when it sees it cannot complete the update, and from what I have read and heard from customers (mainly Joe Public types) that SP1 is installing without real issue for the majority of people. Personally, I installed last night without any issues - I actually noticed that my machine feels more responsive in a number of areas.
With that said, it is a service pack.. sometimes there are compatibility issues, look at XP SP2 when it came out but nobody bitches about that anymore; if the negative impact is minimized, then good for them.
Put away your pitchforks for once.. I've had enough updates on my Linux boxes go wrong that I find the "Evil Microsoft, Linux perfect" comments being hypocritical - but then, this IS slashdot..
(I know I'll be modded into oblivion because of that last comment, but I had to say it)
Really.. When I was younger I told my parents what all my email addresses were, and I would never have created a new hotmail, etc address without telling them......
Someone needs a dose of reality.
All I have to say is.... Arrrrr Eh!
In my experience; if you do the install with a Dell OEM cd, the code on the COA will activate just fine. If you use a different CD (retail, other OEM, etc) then you have to phone activate. Message to Grandparent Poster: Your not seriously calling the phone activation system "complicated" are you? Pain in the butt? Yes. Complicated? No.
Would you people stop modding my parents; They're starting to complain.
*ducks*
MS has a key changer on their site: http://www.microsoft.com/genuine/purchase/UpdateIn structions.aspx
Wont work with an OEM Key, but it does work for retail keys -> I've successfully changed several keys for customers of mine using this tool (you DO need a legit key though).
I worked at a Tim Hortons (big Canadian Coffee chain for those who dont know); and our coffee was brewed at about 190 degrees (the Tea is just under 200).
I saw a pot break while one of my staff members was about to pour a coffee, and got nearly a full pot down the inside of her upper thighs resulting in 3rd degree burns.
With that said though, at one time, one of our warmers was broken and the coffee was served at about 160 degrees - you wouldnt believe the number of complaints about the coffee being too cold..
Your not honestly going to say that you don't think that antivirus / antispyware is a good thing to have on a machine used by the type of person who will click OK to everything they see?
A firewall is useful on any system (not just Windows), and anyone storing data on their machine and NOT doing some kind of data backup (at least for the important data) is crazy.
As for the performance tune-ups, it really just puts the common tools into one place (defrag, clear temp files, etc)
The problem is (as proven by Webroots suite against MS about Windows Defender being integrated into Vista) that if they DID integrate it, all the AV vendors (and a number of Slashdotters) would scream ANTITRUST!
Anyways; how many virus infections are caused by user stupidity and not necesarilly flaws in the OS? As long as users put their computers online and click YES to everything that pops up, there will be people who exploit that.
Agreed, users running as Admin all the time is not well thought out; But as people have stated before this is somthing that has been going on since before Viruses were a real threat and had to be grandfathered in so as not to break all the users software (also, admittedly lazy programming on the s/w vender's parts). Since MS is changing that model in Vista (if and when it ships), I'd say they're at least working towards a tighter security model.
I used the OneCare beta for quite a while (actually a good product IMHO).. But the subscription service started at the beginning of the month... Slashdot is a little late in reporting it.. On a side note; I did stop using OneCare when I tried to pay for the subscription (reduced rate for beta users) only to see (for the first time) U.S. Only, with international support at some point in the future (a year?). Anyways.. my $0.02
Then lets do what slashdot does best.. Lets give them the (unpaying) traffic they want!
Its spelled S-N-O-W, not S-O-I-L :)
I would have to disagree. I'm a fairly recent College Grad, and me course included both COBOL and RPG. Though, the reasoning is that most of the COBOL programmers will be retiring, and someone needs to do it..
Well.. when I think about it again.. maybe I don't disagree all that much...
I dont know about blowing themselves up... but I seem to remember this thing called the crusades....
Anyone who believes somthing so strongly that everyone who disagrees is wrong or a sinner or yadda yadda (and refuses to even hear opposing points of view) - can be dangerous.
I for one hail our new rodent overloards! Someone needs to get rid of the old ones though..
Nah, they wouldnt be asking for one themselves; They'll just claim Prior Art (I agree. most of the crap they release IS painful) and patent the idea..
Dont let the bed bugs bite!
Although I agree that at the teenage level IM and cell phones are the primary means, but in my experience the business world relies on email much more than IM (IM is actually pretty rarely used). The exception being video conferences using software like NetMeeting (shudder), but I wouldn't call that an IM service.
Just my $0.02