 |
Over the last week there have been a number of reports of automated SQL injection attacks on Web sites running Microsoft’s flagship IIS Web server. The Washington Post’s Brian Krebs summarizes them nicely in Hundreds of Thousands of Microsoft Web Servers Hacked.
If there is any good news in this, it is that the server modifications so far only amount to the addition of a Javascript malware loader on site Web pages. While this loader will infect unpatched browsers (and apparently RealPlayer and Yahoo Instant Messenger), the browser holes that it exploits are not new and patches have previously been made available. The status on RealPlayer and Yahoo IM is currently unclear.
It isn’t entirely clear whether there is actually a vulnerability in IIS or it’s just the usual problem of Web programmers not sanitizing user input, but Microsoft has issued a security advisory (951306) with workarounds.
Update: Microsoft’s Bill Sisk says that the problem is due to poor Web programming practices and not any IIS vulnerability and also that security advisory 951306 is for a different problem.
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Mar | May » | |||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
