Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.

The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft’s Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn’t aware of anyone trying to exploit that particular weakness.

On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they’d heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn’t offer much more information.

According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.

“The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies,” said Bill Sisk, a communications manager at Microsoft, in a blog post. “SQL injection attacks enable malicious users to execute commands in an application’s database.”

Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.

SQL injection attacks involve insufficiently filtered code submitted to SQL databases through user input mechanisms.

On Friday, U.S. CERT issued a warning about SQL injection attacks that have compromised a large number of legitimate Web sites. Affected Web sites contain injected JavaScript that attempts to exploit several known vulnerabilities. U.S. CERT recommends disabling JavaScript and ActiveX.