Lisa Moon XSS over 1 million web sites infected

Bottom line people — turn off javascript by default. Turn it on manually for each web site you know and trust, such as your bank. If everyone had their javascript turned off by default, this XSS attack would be ineffective.

From http://www.eweek.com/c/a/Security/LizaMoon-Mass-SQL-Injection-Attack-Escalates-Out-of-Control-378108 It is worth a quick read to stay on top of things. What the user sees that allows the malware to be planted on their computer is described in the article.

“A mass SQL injection attack that initially compromised 28,000 Websites has spiraled out of control. At the last count, more than a million sites have been compromised, with no end in sight.

Security firm Websense has been tracking the “LizaMoon” attack since it started March 29.

… legitimate Websites have been compromised in a way that one line of code has been embedded on the site. That code is a simple redirect, and executes when the user loads the page. The bulk of the action happens on the redirected page, where a script containing Javascript code kicks off the fake AV scam.

Commenters asked Websense why researchers were so convinced it was a SQL injection on multiple Websites and not a mass cross-site-scripting attack. The researchers said they’d been contacted by people who have seen the code in their Microsoft SQL Server 2003 and 2005 databases. The vulnerabilities weren’t within the database software, but “most likely in the Web systems used by these sites, such as outdated CMS and blog systems,” Runald said.”