IIS 5 & IIS 6
SQL Injection Attacks on IIS Web Servers
Last post Apr 28, 2008 07:24 PM by bills
Apr 25, 2008 11:41 PM|bills|LINK
This thread will contain the latest information regarding recent
reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability
in IIS or issues related to
Security Advisory 951306 which was released last week.
Microsoft has investigated these reports and determined that the attacks are
not related to the recent
Microsoft Security Advisory (951306) or any known security
issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.
Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted
on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found
Guidance from Microsoft for web application development best practices can also be found on
this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located
here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the
IIS.net site. For the latest information on this issue, please subscribe or visit the
IIS security forum.
For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.
To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit
Support for Microsoft Update.
Anyone believed to have been affected can visit the
Microsoft Virus Solution and Security Center and should contact the national law enforcement agency in their country. Additionally, customers in the United States should contact their local FBI office or report their situation at:
Subscribe to this thread, or check back later for the latest information from the community.
Apr 28, 2008 07:24 PM|bills|LINK
Today we provided a few scripts for ASP and ASP.net developers to help protect against SQL Injection attacks. Please see:
Nazim's post on steps to protect your classic ASP application here:
and Stefan's post on how to protect your ASP.NET application here: