Microsoft denies fault for massive SQL attack
By Asavin Wattanajantra,
Microsoft has denied that there is any vulnerability in its Internet Information Services (IIS) or SQL server after reports of a massive SQL injection infecting hundreds of thousands of web pages.
The automated attack was reported by F-Secure to have infected more than half a million websites, including those of the United Nations and the UK government. These had been hacked and modified to download malware to visitor's computers, resulting in many being shut down.
Microsoft denied it was due to any new or unknown vulnerabilities in ISS or SQL. It also said the Security Advisory that was published on 17 April which flagged up vulnerability in Windows was unconnected to the incident.
"The attacks are facilitated by SQL injection and are not related to issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft's Security Response Centre on the IIS blog.
It was claimed that attackers created an automated attack which took advantage of SQL injection vulnerabilities in web pages which did not follow security best practices for web application development.
Microsoft said that even though the attacks targeted sites hosted on IIS web servers, the vulnerabilities could be found on any platform.
Data security provider Secerno claimed that this was the first database threat that was equal in size and scope with well-known PC and virus attacks.
"What is different about this threat is that it automates attacks that were previously done by hand. This capability has increased both the threat level and the possible number of sites infected significantly," said Steve Moyle, chief technology officer at Secerno.
"The attack works by exploiting weaknesses on the web site to gain access to the website and essentially take it over. Once in control of the database, the SQL injection takes every piece of data and adds a link with a malicious Java script."
He added: "When a web visitor goes to a page and clicks on a link with the infected Java script, his computer becomes infected."
advertisement
Latest Security Features
IT around the world: Russia
In the first of an on-going series examining IT markets around the globe, we look at whether investing in Russia is worth the risk – and how to go about it the right way.
- Chinese web control an Olympic challenge for tech firms
- SOS Bletchley Park
- Where will IT be in 2015?
- Q&A: John Stewart, Cisco's chief security officer
- NHS IT - something to celebrate?
- Q&A: Tom Ilube, head of Garlik
- Ten of the most infamous ‘black hat’ hackers
- USB Flash Disks: A modern day business curse?
- Creating a mobile data management policy
Latest Security Reviews
AVG Internet Security SBS Edition 8.0
Rating: 
- Finjan Vital Security Web Appliance NG-6000S
- LogLogic MX2010
- Exclusive: WatchGuard Firebox Core X750e
- Sophos ES4000 Security Appliance
- Microsoft Forefront Security for Exchange and SharePoint
- EXCLUSIVE: Juniper Networks SSG 550 UTM appliance
- EXCLUSIVE: Arbor Networks Peakflow X 3.7
- EXCLUSIVE: Check Point UTM-1 1050
- EXCLUSIVE: Finjan Vital Security NG-5100
advertisement
Latest News Videos in Security
Video: Q&A with Richard Archdeacon, Symantec
PlayIT PRO speaks to Richard Archdeacon, director, global services, at the information security software vendor Symantec.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?