Microsoft Pushes Critical IIS Patch

Microsoft late last week issued a critical cumulative patch that fixes 10 vulnerabilities in the company's IIS Web server software, which runs on Windows XP, Windows 2000 and NT 4.0. In the security bulletin Microsoft recommends all Web site operators running IIS immediately install the patch to avoid having their computer taken over by an attacker.

However, Microsoft managers sent an internal e-mail last week demanding that all staff install the patch by Tuesday or be blocked from the Internet, even if IIS is not enabled, demonstrating the potential severity of the flaws involved.

Windows XP users can receive the patch automatically via AutoUpdate, or visit Windows Update as Windows 2000 and NT 4.0 users must do. Alternatively, a direct download of the patch is available for each version of IIS. Windows .NET Server beta users running build 3605 or later are not affected by these vulnerabilities.

In order to help promote better security practices, Microsoft released an update to its IIS Lockdown Tool, which can automatically turn off unused features in IIS and ensure that a server is protected against known attacks.