14 DAY TRIAL // Microsoft says that its technology is in no way at fault for massive web server attacks having already affected in excess of half a million webpages. The past week, security company F-Secure revealed that over 500,000 pages had been compromised through SQL injections. The attacks target only websites that are running on Microsoft IIS Web Server and Microsoft SQL Server. However, this does not mean that the products are enabling SQL injections. Bill Sisk, Security Response Communications Manager, Microsoft brought some clarification to the issue.
"Our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server," Sisk revealed. The Redmond company emphasized that a privilege escalation vulnerability impacting Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 is in no way related to the wave of SQL injections.
F-Secure confirmed that despite the fact that websites with IIS Web Server and SQL Server as their infrastructure are being hit, the "attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code." Compromised websites will serve malicious code packages. F-Secure explained that the attacks are based exclusively on the incapacity of sites with database back-ends to properly sanitize content being uploaded, and not the result of a security flaw in IIS 6.0, ASP, ASP.Net or Microsoft SQL.
"The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices," Sisk added.