While I agree that us scripters are at fault to an extent (yeah, I got bit too...twice before I got it under control), if 500,000 websites have this problem (FIVE HUNDRED THOUSAND) then Microsoft should at least attempt to do something. Quoted from a quote in the blog listed in the comment above mine: Microsoft's Sisk reply stated, "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."

They are using that as an excuse NOT to do anything about a problem that they could do something about, when they are the most likely company to be ABLE to do something about it. They are relying on a white paper that 95% of those programmers don't know exists, when they could release something through their Update service to solve the problem. I guess it's just not profitable for them.