Reported iFrame Attacks _Not_ Due to MS Web/Database Stack

Pontifications on Microsoft and the Tech Industry

Twitter

andrewbrust New Press quote: SDTimes: Microsoft pivots toward business intelligence http://t.co/nDFHfJq3 about 8 hours ago

andrewbrust New press quote: 20120131 – SDTimes: Microsoft pivots toward business intelligence http://t.co/xYS9F5zX about 1 day ago

andrewbrust Check out @vlele on Bytes by MSDN - http://t.co/OBCtIcoG about 1 day ago

andrewbrust Next MSBINYC 2/13 'BI In The Sky? – Where We Are With SQL Azure Reporting Services' - Don't miss it! http://t.co/oZG3layi about 1 day ago

andrewbrust Unofficial, but looks like a Microsoft Store might be coming to NJ: http://t.co/bP4GQdns about 1 day ago

andrewbrust Steal This Column: http://t.co/wYYbj0bH about 1 day ago

andrewbrust @ActiveNick Oy vey. #GuiltTripForFollowers about 3 days ago

andrewbrust just...hit...1500...followers that...should...take...me...down...to...1493 about 3 days ago

andrewbrust Hmmm...sHould I RT this? @NY1headlines: Bronx Commuters Call For End To Bird Dropping Problem At Pelham Bay Park http://t.co/AHMVeVlD about 3 days ago

andrewbrust @DrPizza Maybe the old apps will be letter-boxed on the new 4:3 screens. about 3 days ago

<< First Impressions of Live Mesh | Home | LogMeOut >>

Reported iFrame Attacks _Not_ Due to MS Web/Database Stack

Recent articles like this one have been speculating on the possibility that a potential flaw in IIS might be responsible for a rash of malicious iFrame attacks that have plagued the Web recently.

It would appear that IIS, ASP[.NET, and SQL Server are not the culprits. A response to me and others, direct from Microsoft follows.

***

We have been investigating these reports today and just posted two blog posts about them:

http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

The high-level summary is:

These *are not* a result of any known security issue with IIS, SQL, ASP or ASP.NET (or any other Microsoft product)

These are instead the result of SQL injection issues within the web pages/applications hosted on these sites

You can learn more about SQL injection issues and how to prevent them in a blog post Scott Guthrie did a few years ago here: http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

The above blog posts provide more details on the attacks and have pointers on how to make sure your site doesn’t have SQL injection issues.

Share This Post:

posted @ Saturday, April 26, 2008 1:58 PM

Feedback

No comments posted yet.

Title:

Name:

Email: Not Displayed

Website:

Comment:

Enter the code shown above