Recent articles like this one have been speculating on the possibility that a potential flaw in IIS might be responsible for a rash of malicious iFrame attacks that have plagued the Web recently.
It would appear that IIS, ASP[.NET, and SQL Server are not the culprits. A response to me and others, direct from Microsoft follows.
***
We have been investigating these reports today and just posted two blog posts about them:
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
The high-level summary is:
These *are not* a result of any known security issue with IIS, SQL, ASP or ASP.NET (or any other Microsoft product)
These are instead the result of SQL injection issues within the web pages/applications hosted on these sites
You can learn more about SQL injection issues and how to prevent them in a blog post Scott Guthrie did a few years ago here: http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
The above blog posts provide more details on the attacks and have pointers on how to make sure your site doesn’t have SQL injection issues.