Huge web attack blamed on IIS?

Don't know if you saw this, but it's certainly scary . There are several articles out about a massive web server attack, and these articles are blaming this on a vulnerability in IIS. Reportedly, this has impacted 100K+ servers. The Microsoft Security Response Center (MSRC) is aware of this, and has already posted a response about this.

Here's the short scoop. There are no new or unknown vulnerabilities, and nothing specific to Microsoft products - other than we're on a lot of web servers out on the Internet. These attacks are started first by someone hacking a web site, via SQL Injection attack. And then a payload could be downloaded to visiting browsers who visit the hacked page.

So, customers are urged to do a security review of their site (specifically on SQL Injection points of entry), as well as stay patched. No new news there as we all should be doing this. See the MSRC post to get more info on this. It has links to other resources including an informative post from Bill Staples (one of the biggies in our IIS unit). Bill talks about the issues including guidance resources, security contacts, and the Internet Crime Complaint Center. For even more insight into the issue, check out the comments below his post.

Anyway, the long and short of this is that SQL Injection is easy to prevent, and a practice that I thought all web developers would be familiar with. But, this proves that the developer community has some learning to do.