You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.
Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.
Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.
Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.
For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.
To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: http://www.microsoft.com/protect.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: http://www.ic3.gov