A new SQL injection attack aimed at Microsoft IIS web servers has hit some 500,000 websites, including the United Nations, UK Government sites and the U.S. Department of Homeland Security. While the attack is not necessarily Microsoft’s fault, it is unique to the company’s IIS server.
The automated attack takes advantage to the fact that Microsoftâ€™s IIS servers allow generic commands that donâ€™t require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sitesâ€™ creators, rather than a specific Microsoft flaw.
In other words, thereâ€™s no patch thatâ€™s going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input.
Most of the larger sites affected have already long since repaired themselves and claim that the underlying problems in their code have been fixed. However, if you donâ€™t want to take the chance thereâ€™s a simple way to avoid the problem â€” use Firefox with NoScript. Since the attack loads a script from a different domain, NoScript will stop it from running.
If youâ€™ve been hit by the attack, you should, as Bill Sisk, Microsoftâ€™s Trustworthy Computing, Response Communications Manager, suggests on his blog, report the attack.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov.
So far there have been no details about who is behind the attacks.