Tuesday, April 29, 2008

Half a Million Microsoft-Powered Sites Hit With SQL Injection

Slashdot posted a link to an article yesterday regarding a recent attack on approximately 500,000 websites via SQL injection that seems to be limited to Microsoft's IIS webserver.

The attack itself injects some malicious JavaScript code into every text field in a database which, in turn, loads another script that can compromise a user's PC.

According to Bill Sisk, Microsoft's Trustworthy Computing Response Communications Manager:
"Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov."

For details, see WIRED.