Last week was a lousy week for Web site administrators. Depending on your expert of choice anywhere from just over a hundred-thousand to half-a-million plus Web pages had been hacked to turn this into malware-spewing portals.
Panda, the security company, suggested that a recently unveiled ‘elevation of privilege’ flaw that could be used on XP SP2, Vista, and, far more significantly, Windows Server 2003 and 2008 could be at fault. While the elevation of privilege vulnerability can’t be used to gain full-control of a system, it can be used to get control of accounts that are often used to run Microsoft’s IIS (Internet Information Services) custom applications. So, for example, if you’re running a Web application that uses ASP.NET in full trust mode, your site is crackable.
Microsoft, however, is denying that this wave of attacks have anything to do with IIS or with this particular security hole. Instead, Bill Sisk, a communications manager at Microsoft’s Security Response Center, said the attacks appeared to be ordinary SQL injection attacks.
OK, so whose fault is it then? Much as I like to pound on Microsoft, this time it doesn’t seem to be their fault. Well, not entirely the boys from Redmond’s fault anyway.