posted by Thom Holwerda on Mon 28th Apr 2008 19:22 UTC, submitted by Hakime
Last week, The Washington Post reported that hundreds of thousands of IIS webservers were hacked. Code was placed on them that installed malware on visitors' computers. Among the infectees were websites from the UK government and the United Nations. Initial reports said the attackers used a security vulnerability in Microsoft's IIS, but the company published more information on the attacks today, and denies IIS was compromised.In an entry on Microsoft's IIS Blog, Bill Staples explains that despite earlier reports online, the attacks are not related to Security Advisory 951306 or any other security flaw in Microsoft's IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. Instead, the crackers used automated SQL injection attacks.
Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.
Staples links to various websites that give more information on SQL injection attacks, and how to shield yourself from them. In addition, the IIS.net website follows the issue and provides more information as the case develops.
Microsoft's investigation revealed no unpatched security holes in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so end-users should just install all the latest patches to shield themselves from these attacks.
Related Articles
posted by Thom Holwerda on Sun 8th Jun 2008 15:53, submitted by sonic2000gr
posted by Thom Holwerda on Fri 9th May 2008 13:19, submitted by Moulinneuf
posted by Thom Holwerda on Thu 1st May 2008 19:41