Microsoft vulnerability compromised half a million web pages

Up to 500,000 web pages and thousands of websites including some belonging to the United Nations could have been hacked thanks to a security issue in Microsoft's Web server according to one security firm.

The attack started last Wednesday according to Websense, targeting the United Nations and Government websites and more specifically IIS (Internet Information Services) with a vulnerability that was already known to Microsoft.

The software company had already issued an advisory related to the vulnerability on the 17th of April but it seems that apathy and lack of time meant that many system administrators have been caught short by the attack.

Microsoft has denied vehemently that vulnerabilities in its software were behind the surge in attacks.

Microsoft Security Response Centre's Bill Sisk said that "Microsoft's investigation has shown that there are no new or unknown vulnerabilities being exploited," and added "This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies".

The hackers distribute malware through trusted websites like the United Nations by luring the visitors into a fall sense of security and then serving malicious Javascript which loads into an iFrame from a third party server.