Last week we reported on a massive SQL injection exploit
that could be affecting a large number of sites. While the source of the problem was apparent to many, some others were prematurely pointing the finger at IIS
, which upset Microsoft.
Seeking to alleviate fears, the software giant has outright denied
that IIS is to blame, claiming that the affected servers were not compromised due to security flaws inside IIS or Microsoft SQL Server. At the same time, they pointed to coding practices
they feel help prevent such exploits from occurring. Microsoft is certainly correct this time in asserting that IIS is not the source of the problem, though with the troubled history of IIS it is easy to understand why many would assume such.