Last week we reported on a massive SQL injection exploit that could be affecting a large number of sites. While the source of the problem was apparent to many, some others were prematurely pointing the finger at IIS, which upset Microsoft.
Seeking to alleviate fears, the software giant has outright denied that IIS is to blame, claiming that the affected servers were not compromised due to security flaws inside IIS or Microsoft SQL Server. At the same time, they pointed to coding practices they feel help prevent such exploits from occurring. Microsoft is certainly correct this time in asserting that IIS is not the source of the problem, though with the troubled history of IIS it is easy to understand why many would assume such.