Microsoft warns on IIS 5 and IE attack

Microsoft and US government internet security agency the Computer Emergency Readiness Team (US-CERT) are warning of attacks launched by compromised websites running Microsoft's Internet Information Server (IIS) 5.

US-CERT said it is "aware of new activity" involving websites running IIS 5.

Sites are appending JavaScript to the bottom of web pages that, when executed, attempts to access a file hosted on another server.

"This file may contain malicious code that can affect the end user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems," the organisation said.

US-CERT, a partnership between the Department of Homeland Security and the public and private sectors, coordinates defence against and responses to cyber-attacks.

It has advised web server administrators running IIS 5 to verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

Disabling JavaScript will prevent this activity from affecting an end user's system, although it may also degrade the appearance and functionality of some websites that rely upon JavaScript.

"US-CERT recommends that end users disable JavaScript unless it is absolutely necessary. Users should be aware that any website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."

Microsoft is investigating a report that some customers using IIS 5.0 are being exploited by an issue known as Download.Ject.

It said early indications are that IIS 5.0 Servers which have not been updated with security update MS04-011 are possibly under attack. Customers should ensure they have installed MS04-011 to be secure from the issues addressed in that update.

"Microsoft has confirmed that this exploit seeks to alter web pages offered by an IIS 5.0 Server, which in turn exploits vulnerabilities in Internet Explorer [IE] and delivers malicious code to visitors of an affected website," the company said.

"IE customers should download and deploy MS04-013 to ensure they have the most recent security updates for IE. In addition, IE customers should utilise high security settings."