Saturday, April 26, 2008

Microsoft Responds: Questions About Web Server Attacks

Via The Microsoft Security Response Center (MSRC).

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306).

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here.

More here.

1 Comments:

At Tue May 20, 05:29:00 PM PDT, Blogger Fred said...

SQL Injections are a big risk to databases and as you point out, can be prevented by following best security practices. Basic protections, such as validating input, parameterizing queries, and limiting input string length, are a great start towards securing a database against these attacks. There's a really good video on implementing these security steps at

http://www.microsoft.com/hellosecureworld7

 

Post a Comment

<< Home