"Our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server," said Bill Sisk of The Microsoft Security Response Center in a 9:44 p.m. post to that organization's blog.

It was widely reported on Friday that more than 500,000 webistes, including some belonging to organizations such as the US Department of Homeland Security and the United Nations, had been hacked. Many of those stories suggested that a vulnerability in Microsoft's SQL server software might be at fault.

Panda Security said Friday that it had notified Microsoft of a "security issue" in Internet Information Services, though the organization did not specifically call the problem a "vulnerability."

According to Sisk, the attack is not an exploit related to any known or unknown vulnerabilities in any Microsoft software, but is instead a more common SQL injection attack, which "enable malicious users to execute commands in an application's database." He says website or application developers can protect against such attacks by using security procedures outlined in its developer network library.

A post on Microsoft's IIS blog further explained that the attack was not associated with a software vulnerability, and recommended that end-users update their security with the latest patches to protect themselves from being impacted by the attacks.

In a Friday article, the Register quoted security experts who said the task of deleting malicious code from affected sites was going to be enormous and would likely take a very long time, as developers replaced overwritten records or reverted sites to recent backups.