Microsoft denies fault for massive SQL attack

The company insists that there were no vulnerabilities specific to Windows which could have allowed a massive database attack affecting over half a million web pages.

Microsoft has denied that there is any vulnerability in its Internet Information Services (IIS) or SQL server after reports of a massive SQL injection infecting hundreds of thousands of web pages.

The automated attack was reported by F-Secure to have infected more than half a million websites, including those of the United Nations and the UK government. These had been hacked and modified to download malware to visitor's computers, resulting in many being shut down.

Microsoft denied it was due to any new or unknown vulnerabilities in ISS or SQL. It also said the Security Advisory that was published on 17 April which flagged up vulnerability in Windows was unconnected to the incident.

"The attacks are facilitated by SQL injection and are not related to issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft's Security Response Centre on the IIS blog.

It was claimed that attackers created an automated attack which took advantage of SQL injection vulnerabilities in web pages which did not follow security best practices for web application development.

Microsoft said that even though the attacks targeted sites hosted on IIS web servers, the vulnerabilities could be found on any platform.

Data security provider Secerno claimed that this was the first database threat that was equal in size and scope with well-known PC and virus attacks.

"What is different about this threat is that it automates attacks that were previously done by hand. This capability has increased both the threat level and the possible number of sites infected significantly," said Steve Moyle, chief technology officer at Secerno.

"The attack works by exploiting weaknesses on the web site to gain access to the website and essentially take it over. Once in control of the database, the SQL injection takes every piece of data and adds a link with a malicious Java script."

He added: "When a web visitor goes to a page and clicks on a link with the infected Java script, his computer becomes infected."

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021