Part of the statement reads: "These types of Denial of Service issues are common on the Internet and could happen to any Web server. However, this bug does not compromise sensitive data in any way. It forces IIS to become unavailable for a short time and is easily remedied by restarting the Web server... Microsoft takes issues like these very seriously and has responded rapidly by addressing the issue with a permanent fix that prohibits this specific type of attack and also records the IP address of the attacker in a log file... A malicious hacker could write a program to find the exact character sequence. A hacker simply can't publish a URL that would bring down an IIS server."
The bug was on reported on the Bugtraq mailing list for developers sharing data about security bugs in Unix and related operating environments.