Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.0.
The company released a formal pre-patch advisory to acknowledge the vulnerability and offer mitigation guidance for customers.
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.