Over the last week there have been a number of reports of automated SQL injection attacks on Web sites running Microsoft’s flagship IIS Web server. The Washington Post’s Brian Krebs summarizes them nicely in Hundreds of Thousands of Microsoft Web Servers Hacked.
If there is any good news in this, it is that the server modifications so far only amount to the addition of a Javascript malware loader on site Web pages. While this loader will infect unpatched browsers (and apparently RealPlayer and Yahoo Instant Messenger), the browser holes that it exploits are not new and patches have previously been made available. The status on RealPlayer and Yahoo IM is currently unclear.
It isn’t entirely clear whether there is actually a vulnerability in IIS or it’s just the usual problem of Web programmers not sanitizing user input, but Microsoft has issued a security advisory (951306) with workarounds.
Update: Microsoft’s Bill Sisk says that the problem is due to poor Web programming practices and not any IIS vulnerability and also that security advisory 951306 is for a different problem.
Anand, a Microsoft security program manager reveals via the Inside Windows Live Messenger blog that Microsoft is forcing Live Messenger users to upgrade to version 8.1 before any further usage due to a security exposure in earlier versions.
It’s hard to get excited about Microsoft’s monthly Patch Tuesday since its arrival is inevitable as death and taxes, so ”Microsoft fixes 14 flaws in biggest patch day since February” isn’t much of an eyebrow raiser, but Todd Bishop points out one interesting patch for Vista Gadgets:
The two large collections of non-security Vista fixes whose existence was leaked a week ago have now been formally released by Microsoft as
Yesterday, news leaked that Microsoft has released two new beta maintenance packs for Windows Vista to Windows Server 2008 beta testers. They are named the “Vista Performance and Reliability Pack” and the “Vista Compatibility and Reliability Pack” and provide fixes for many of the significant non-security problems early Vista users have encountered. Speculation has it that they will be released on the next regular Patch Tuesday which is August 14.
The natural question is why isn’t this Vista Service Pack 1 and speculation abounds there too, but since at least the promised search fixes for Google apparently aren’t included, the simple answer is that Microsoft has more work to do before SP1 is ready. In the meantime, there’s no reason they shouldn’t be shipping Vista bug fixes. As for the odd venue of a Windows Server 2008 beta program, it sounds like merely an expedient way to find some beta testers since the Vista testing program has ended.
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |