Microsoft has confirmed that it is investigating reports of a vulnerability in the firm's Internet Information...
Services (IIS) software.
The vulnerability that could allow an attacker to take over a server is reported to be in the file transfer function of versions 5.0, 5.1 and 6.0 of Microsoft's IIS product.
Microsoft said in a security advisory that although detailed exploit code has been published for this vulnerability, the company is not aware of any active attacks.
"Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary," the advisory said.
Microsoft said that it will take appropriate action, which may include a patch to be released in the next monthly security update or sooner if necessary.
The company warned that users of IIS may be at risk because the vulnerability was not responsibly disclosed.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," the advisory said.
The "Workarounds" section of the advisory includes guidelines for steps users of IIS can take to protect systems from potential attacks until a patch is released.