The patch will eliminate a security hole that affects Web sites using Microsoft IIS 4.0 or 5.0 as a Web server, the company said. The vulnerability would enable a malicious person to read, write, add, change or delete files or Web pages. The server software delivers Web pages to people browsing the Net.
Microsoft said a patch that was released in August for a different security hole would provide protection against this vulnerability.
"We're doing our level best to make sure that all our customers know that it is a serious vulnerability...and what they can do about the problem," said Scott Culp, a program manager with Microsoft's Security Response Center. "The answer is one piece of good news--the patch has actually been available for two months."
Culp said that Microsoft has not received any reports of Web site attacks.
Customers who had already applied the patch, which keeps malicious people from gaining the ability to penetrate certain types of files hosted on Microsoft IIS, do not need to take any additional action. But, the company recommends that those who have not installed the patch take immediate action to protect their systems.
"If you don't have the patch installed, then this is a higher risk problem (than the previous vulnerability)," said Elias Levy, chief technology officer for SecurityFocus.com. "It gives control or allows anyone on the Internet to get control of your Web server."
Levy said that the Microsoft IIS is highly popular with companies, which use and create Web sites with the software.
Microsoft said that the patch can be downloaded from the "Patch Availability" section of its security bulletin.