Most of the security companies blamed that Microsoft Internet Information Services and Microsoft Internet Explorer vulnerabilities are responsible for all sorts of attacks. Some concluded that the problem was related to an advisory regarding a bug in multiple Windows versions that could be exploited through Internet Information Services (IIS) and SQL Server.
Despite reports saying differently, the software giant has investigated the problems and has concluded that the two are not related. Bill Staples explained the company’s findings on his IIS blog:
Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.