With the recent increase in the number of SQL injection attacks, many web site applications are getting defaced to include malicious HTML script and tags. This malicious content is stored in SQL databases and is used to generate dynamic web pages. Attacks like these are continuing to exploit vulnerable web applications, and have been accelerating since the first quarter of 2008.

The web applications which are more vulnerable to such attacks are developed in Classic ASP. In Classic ASP, code generates dynamic SQL queries based on URI query strings with an MS SQL server database at the backend. Microsoft explains a new approach to SQL injection in detail at: http://msdn.microsoft.com/en-us/library/ms161953.aspx

These attacks are not caused by vulnerabilities in Microsoft IIS or Microsoft SQL that are taken advantage of. Instead, the attacks exploit vulnerabilities in custom web applications running on this infrastructure. Microsoft has investigated these attacks thoroughly and determined that they are not related to any patched or 0-day vulnerabilities in Microsoft products. More information can be found at http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

We would like to recommend that all customers who have dynamic web applications based on ASP/ASP.net with a SQL Database at the backend, to review websites logs and database tables for signs of previous exploits. Additionally, we recommend that a complete audit be done in site scripts for these code vulnerabilities and fix those at the earliest. It's highly advised to apply the best practices, as described by Microsoft, on a regular basis for web site application developments.

Please visit following links for more information and best practices:

http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://msdn.microsoft.com/en-us/library/ms161953.aspx
http://msdn.microsoft.com/en-us/library/bb671351.aspx
http://www.acunetix.com/websitesecurity/sql-injection.htm