Microsoft: Massive site attacks not our fault
Microsoft late Friday denied that vulnerabilities in its Web and SQL server
software had been exploited to hack hundreds of thousands of Internet pages.
"Our investigation has shown that there are no new or unknown vulnerabilities
being exploited. This wave is not a result of a vulnerability in Internet
Information Services or Microsoft
SQL Server," said Bill Sisk, a communications manager with the Microsoft
Security Response Center, in a note posted to the group's blog.
Sisk said the post was in response to reports that over
half a million pages, including some belonging to the United
Nations, have been compromised by SQL injection attacks. Once hacked, those
sites were modified to download malware to visitors' PCs.
Early on Friday, Panda Security said it had notified Microsoft of what it called
a "security issue" in the company's Web server, Internet Information
Services (IIS). However, Panda stopped short of dubbing the problem a "vulnerability."
Sisk essentially said that the site hacks were run-of-the-mill SQL injection
attacks. "[They] are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft
SQL technologies," he claimed.
Microsoft's IIS team also chimed in to deny that the attacks were due to any
bugs, known or not, in its software. "For end-users, the investigation
also shows no indication of an unpatched vulnerability in IIS, SQL Server, Internet
Explorer or any other Microsoft client software, so we recommend customers
apply the latest updates to be protected from these attacks," said Bill
Staples, an IIS product manager, in an update posted to the software's support
forum on Friday night.
And although there has been speculation that the attacks were related to a
vulnerbility
mentioned in an April 17 advisory, Sisk said that wasn't true either. "We
have also determined that these attacks are in no way related to Microsoft Security
Advisory 951306," said Sisk.
Sisk and Staples urged Web site developers to follow
Topics: Security, Exploits and vulnerabilities, Software, Operating systems,
servers
» posted by abennett
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
