A massive SQL injection attack affected over half a million web sites that use Microsoft SQL Server. The attack was faciliated through a SQL injection; the worm searches for URLs with the extension "asp" or "aspx" that have a query string, and it injects malicious JavaScript and HTML code into every paramater of that query string.

The attack is rather traditional and doesn't involve any security holes in the server or database software. The difference, according to Jeremiah Grossman - CTO of White Hat Security, lays in "the size and the level of sophistication."

Microsoft said they will not release a patch because the cause doesn't lay in a security hole but in the poor coding practices of the web developers. These developers, according to Microsoft, have failed to filter out the user-input data coming from web forms and query strings (through GET and POST requests) before inserting it in the SQL query. Microsoft has encouraged programmers to review their coding practices and read the guide entitled Improving Web Application Security: Threats and Countermeasures.

Google, in an attempt to decrease the success of the attack, has temporarily removed the sites that appeared to be infected from its index.