Microsoft recommends that customers running a Web site on its Windows NT 4.0, Windows 2000 or Windows XP Professional operating systems install the patch immediately.
IIS versions 4, 5 and 5.1 are susceptible to the vulnerability, Microsoft said. Beta build versions 3605 or higher of .Net Server already contain the fix. IIS 6 is included with .Net Server.
The security patch is cumulative, in that it incorporates other separately released fixes. The patch also addresses 10 newly discovered security vulnerabilities affecting IIS, Microsoft said. IIS 5 is susceptible to all the new vulnerabilities, IIS 4 to nine, and IIS 5.1 to eight.
Microsoft deemed three of the fixes as critical for all three versions of IIS and one as critical for IIS 4 and 5. The other new vulnerabilities pose either a moderate or a low security threat.
Many of the new fixes have to do with so-called buffer overflow or denial-of-service attacks that could cripple Web sites. In a buffer overflow, an attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.
Microsoft recommends that IIS operators either download the patch separately or, if running Windows XP, retrieve the fix using the automatic update feature. The IIS 4 patch requires that Service Pack 6a be applied to Windows NT Server. The IIS 5 patch can be applied to Windows 2000 running either Service Pack 1 or 2. Microsoft recommends that the IIS 5.1 patch be applied to systems running Windows XP Professional.
The IIS 5 patch will be included in Windows 2000 Service Pack 3, which is in beta testing. The fixes for II 5.1 will be included in Windows XP, which is expected to begin beta testing next month.
In addition to applying the patches, Microsoft said, IIS operators should download and use IIS Lockdown Tool 2.1, which turns off unnecessary features that if left on could create vulnerabilities for hackers to exploit.