Microsoft has confirmed that attackers have exploited a
vulnerability in the firm's Internet Information Services (IIS)
software.
The vulnerability that allows attackers to take over a server or
conduct a denial of service attack is in the file transfer
function.
The problem was initially said to affect version 5.0, 5.1, 6.0
and 7.0 of Microsoft's IIS product, but an updated
security advisory included version 7.0.
Microsoft said version 7.5 of the FTP protocol is not vulnerable
to any of the known exploits and can be downloaded and installed on
IIS 7.0 to protect it.
"The Download Center has FTP 7.5 available for Windows Vista and
Windows Server 2008," said Alan Wallace of the Microsoft security
response center.
For all other users, Microsoft recommends IIS users implement
the workarounds provided in the Advisory under the Workaround
section, Wallace wrote in a blog.
Users should follow these guidelines until Microsoft releases a
security update once it reaches an "appropriate level of quality
for broad distribution," he wrote.
Wallace said more information on suggested actions can be found
in Microsoft Knowledge Base
Article
975191.