Malware from mass SQL injections confirmed by security experts

June 5, 2008

Nearly 20,000 websites have been attacked by unknown malicious computer users using a technique known as an SQL injection. The attackers have inserted code to install malware onto visitors' computers. The code exploits a newly-discovered weakness in Adobe Flash Player, a very common web-browser plugin. The attacks prompted an investigation by the Taiwanese information security industry into the source of these attacks.

An SQL injection is a common method employed by malicious users to attack and deface websites, arising from website mistakes in checking user input. Attackers take advantage of these weaknesses to inject information of their choosing into the website. For example, in June of 2007, Microsoft UK found its webpage changed to a picture of the Saudi Arabia flag, an attack which was carried out using an SQL injection.

According to SecurityFocus, this most recent series of attacks stems from a vulnerability in versions 9.0.115.0 and 9.0.124.0 of Flash Player. It allows attackers to load any code they wish onto a computer running these versions of Flash.

As the vulnerability in Flash is newly discovered, Adobe has not yet released a newer version which fixes the problem. For the time being, computer security experts recommend that internet users with one of the unprotected versions of Flash disable the plug-in on Mozilla Firefox or Internet Explorer to prevent malicious users from gaining control over their computers.

The most recent version of the Flash Player, version 9.0.124.0, does not appear to be vulnerable to this exploit.