Hunter Strategies LLC logo

Microsoft News Tracker

What's more interesting than observing Microsoft?

April 27, 2008

Microsoft IIS Web servers hit by widespread SQL injection attacks

Posted by David Hunter at 10:39 AM ET.

Over the last week there have been a number of reports of automated SQL injection attacks on Web sites running Microsoft’s flagship IIS Web server. The Washington Post’s Brian Krebs summarizes them nicely in Hundreds of Thousands of Microsoft Web Servers Hacked.

If there is any good news in this, it is that the server modifications so far only amount to the addition of a Javascript malware loader on site Web pages.  While this loader will infect unpatched browsers (and apparently RealPlayer and Yahoo Instant Messenger), the browser holes that it exploits are not new and patches have previously been made available. The status on RealPlayer and Yahoo IM is currently unclear.

It isn’t entirely clear whether there is actually a vulnerability in IIS or it’s just the usual problem of Web programmers not sanitizing user input, but Microsoft has issued a security advisory (951306) with workarounds.

Update: Microsoft’s Bill Sisk says that the problem is due to poor Web programming practices and not any IIS vulnerability and also that security advisory 951306 is for a different problem.

Filed under IIS, Microsoft, Security, Technologies

Related posts:


Comments are closed.

News Search:

Recent Posts:

Daily Digest Email:

Enter your Email

Powered by FeedBlitz


Full category list


Archive List

RSS Feed:

HunterStrat Links:


  • Powered by WordPress.