Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Virus and Vulnerability Roundup
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Microsoft: Massive site attacks not our fault

No bugs in IIS or SQL Server, says company

April 27, 2008 12:00 PM ET

Active Comments
n0mad says: ComputerWorld is pushing FUD. "hackers have leveraged weaknesses in the company's Web and SQL software" Really? Dude what CVE's were...
Anonymous says: Man - this is not ActiveX or any executable code flaw. This is bad programming by the web site developers...


Computerworld - Microsoft Corp. late Friday denied that vulnerabilities in its Web and SQL Server software had been exploited to hack hundreds of thousands of Internet pages.

"Our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server," said Bill Sisk, a communications manager at Microsoft's Security Response Center, in a note posted to the group's blog.

Sisk said the post was in response to reports that over half a million pages, including some belonging to the United Nations, have been compromised by SQL injection attacks. Once hacked, those sites were modified to download malware to visitors' PCs.

Early on Friday, Panda Security said it had notified Microsoft of what it called a "security issue" in the company's Web server, Internet Information Services (IIS). However, Panda stopped short of dubbing the problem a "vulnerability."

Sisk said that the site hacks were essentially run-of-the-mill SQL injection attacks. "[They] are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies," he claimed.

Microsoft's IIS team also chimed in to deny that the attacks were exploiting any bugs, known or not, in its software. "For end users, the investigation also shows no indication of an unpatched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks," said Bill Staples, an IIS product manager, in an update posted to the software's support forum on Friday night.

And although there has been speculation that the attacks were related to a vulnerability mentioned in an April 17 advisory, Sisk said that wasn't true either. "We have also determined that these attacks are in no way related to Microsoft Security Advisory 951306," he said.

Sisk and Staples urged Web site developers to follow Microsoft's guidelines to protect their domains from SQL injection attacks.

Read more about spam, malware and vulnerabilities in Computerworld's Spam, Malware and Vulnerabilities Knowledge Center.



Jump to comments

Microsoft

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

What People Are Saying

White Papers & Webcasts

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.  

Employee Web Use and Misuse
Download this new White Paper today!  

The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.

Get More from Your IT Budget
Download this new white paper today!  

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!


IT Jobs