Malicious Code

Malicious Code is a new kind of threat which cannot be blocked by anti-virus software alone. In contrast to viruses (which require a user to execute a program in order to cause damage), malicious code is an auto-executable application. It can take the form of Java Applets, ActiveX controls, plug-ins, pushed content, scripting languages, or a number of new programming languages designed to enhance Web pages and email.

Early in 1997, a serious threat that involved a free Plug-In advertised as a multimedia viewer for Web movies was exposed. The free Plug-In silently redirected the computer's modem from the Internet access line to a pay-per-minute number which cost users thousands of dollars in phone bills. Within a few months of this attack, a hacker organization used an ActiveX control to transfer funds by modifying Quicken files located on the local drives of people viewing their web page. In 1999, a program called "Picture.EXE" forwarded the usernames and passwords of many America Online users to unknown email addresses. Over 250 examples of malicious code has been documented since 1997.

Sql Injection

SQL Injection is simply a term describing the act of passing SQL code into an application that was not intended by the developer. Since this topic is not specifically restricted to SQL Server it is not included in the normal FAQ. In fact, much of the problems that allow SQL injection are not the fault of the database server per-se but rather are due to poor input validation and coding at other code layers. However, due to the serious nature and prevalence of this problem I feel its inclusion in a thorough discussion of SQL Server security is warranted.