Panda Security told SC US last week that hackers are injecting SQL code in web pages by taking advantage of a vulnerability in Microsoft's Internet Information Services (IIS) web server as part of the mass attack.
In response, Bill Sisk wrote in Microsoft's Security Response Center blog on Friday that the attacks are not a result of a vulnerability in Internet Information Services or Microsoft SQL Server.
“There are no new or unknown vulnerabilities being exploited. The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.”
Furthermore, Microsoft have determined that these attacks are in no way related to Microsoft Security Advisory 951306.
Agreeing, Patrik Runald, security response manager at F-Secure said in his security blog the attacks exist by poorly written ASP and ASPX (.net) code. However, he admitted the vendor had only detected websites using Microsoft IIS web server and Microsoft SQL Server being hit.
Well over 500,000 websites were affected by the attack, warned F-Secure. While Runald said it’s crucial to verify what information gets stored in databases and back ends.
“Especially if you allow users to upload content themselves, which happens all the time in discussion forums, blogs, feedback forms, unless that data is sanitised before it gets saved you can't control what the website will show to the users,” he said.
“This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code).”
Microsoft denies mass web-attack result of vulnerabilities
By Negar Salek on Apr 28, 2008 3:24PM