Microsoft promises IIS bug patch
Microsoft last Tuesday issued a formal security advisory for the vulnerability in three older versions of its Internet Information Services server, a day after the exploit code went public.
On Wednesday, it issued the advisory that the patch was in development.
As a result of the flaw, IIS's FTP server fails to properly parse specially crafted directory names, allowing hackers to force a stack buffer overflow and then inject malicious code onto the Web server.
In the short term, Microsoft urged administrators responsible for IIS 5.0, 5.1 and 6.0 Web servers to make one of several suggested defensive moves, any one of which will stymie the currently known exploits.