Half A Million Windows Server Powered Sites Hit With SQL Injection

Here is the article on the Wired Magazine:

Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection

A new SQL injection attack aimed at Microsoft IIS web servers has hit some 500,000 websites, including the United Nations, UK Government sites and the U.S. Department of Homeland Security. While the attack is not necessarily Microsoft’s fault, it is unique to the company’s IIS server.

This is also including the department of homeland security!

Of course this method of attack could happen to any insecure web application whether it is using Windows or other platforms, but I think the Hackers are sending a message here:

That many web application developers who use proprietary platforms such as Microsoft SQL Database or servers aren’t doing a good job building secure systems! Could it be because in the proprietary world, developer’s don’t get to read other developers’ code in order to enhance their level of knowledge and skills and instead rely mostly on the training they receive from certificate programs and the school system?

Or could it be that in the proprietary world the source code of an application never gets to be reviewed by the community of developers, otherwise the security bugs would have been shallowed given all the eyeballs that are scanning the code over and over again?

[tags]security, microsoft, sql, injection, attack[/tags]

2 thoughts on “Half A Million Windows Server Powered Sites Hit With SQL Injection”

  1. I suspect that most of the bad code in Windows is in Visual Basic. C# programmers tend to produce better code because they come from C backgrounds.

    PHP is no different. I’m constantly fixing poorly written and documented PHP code. PHP applications tend to be full of security holes. Its amazing that more PHP programmers aren’t doing OO programming in version 5.x. The problem is that this type of programming requires some effort to learn and many programmers learned PHP over a weekend.

  2. Does anyone know if there is another language or set of commands beside SQL for talking with databases?

    I’m working on a project and am doing some research thanks

Comments are closed.