I won't even try to pretend I'm a web guru, but I've done a bit of web programming, mostly as a hobby for myself and a friend. And for the life of me, I cannot possibly understand how an SQL injection is successful. Let me rephrase that -- I cannot possibly understand how the person programming the website can let it be successful. Who in their right mind would write code that allows an untrusted source to query whatever part of the database they want? Don't these people validate the input before running the database queries? That's one of the most basic security tasks. If you don't even bother to do that, you might as well put phpmyadmin on your site with no password. That also raises the question -- could they simply read the data via SELECT queries, or could they also write data with INSERT or UPDATE queries? The former is a bad security vulnerability; the latter results in a database you can no longer trust.

On a side note, it certainly is a bit unnerving that a security company, who (most likely for reasons of greed and power) is the single source of defense against the most prolific piece of malware ever developed, shows such lax security (self-admittedly the result of poor security practices -- not properly reviewing code before going live with it).

I don't know if it's true, and Kaspersky's track record on this issue does not exactly incite me to believe them, but one hour does seem a bit short.

I would think that a proper response time would be at least two working days.

On one hand, leaving such a hole open for more than two days does seem rather slack, but on the other, one hour is surely not enough to evaluate the risk, test its veracity and do something about it.