« Previous Next »

Thread: SQL Injection Attacks on IIS Web Servers

Last post 04-28-2008 7:24 PM by bills. 1 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (2 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 04-25-2008, 11:41 PM

    • bills
    • Top 25 Contributor
    • Joined on 02-03-2006, 12:33 PM
    • Redmond, WA
    • Posts 433

    SQL Injection Attacks on IIS Web Servers

    Locked Reply Contact

    This thread will contain the latest information regarding recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

    Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

    Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.  More information on SQL injection attacks can be found here and here.

    Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

    For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

    To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

    Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country.  Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY.  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

    Subscribe to this thread, or check back later for the latest information from the community.

    ~~~~~~~~~~~~~~~~~~~~~~~~
    Bill Staples
    Product Unit Manager, IIS
    blog: http://blogs.iis.net/bills
    Tags:

  • 04-28-2008, 7:24 PM In reply to

    • bills
    • Top 25 Contributor
    • Joined on 02-03-2006, 12:33 PM
    • Redmond, WA
    • Posts 433

    Re: SQL Injection Attacks on IIS Web Servers

    Locked Reply Contact

    Today we provided a few scripts for ASP and ASP.net developers to help protect against SQL Injection attacks.  Please see:

    Nazim's post on steps to protect your classic ASP application here:  http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

    and Stefan's post on how to protect your ASP.NET application here:  http://forums.asp.net/t/1254125.aspx 

     

     

    ~~~~~~~~~~~~~~~~~~~~~~~~
    Bill Staples
    Product Unit Manager, IIS
    blog: http://blogs.iis.net/bills
Page 1 of 1 (2 items)
Microsoft Communities