Jun 5th, 2007 by Tuxi
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security.
In the section on STATUS, Microsoft states,
This behavior is by design.
The eWeek article also states that Microsoft publishes the exploit (in the same KB article), but I didn’t see it unless the general description of the behavior constitutes an exploit.
Microsoft clearly wants the revenue associated with an upgrade. I urge anyone who is faced with this issue to spend their money wisely — invest the time and energy to move from IIS to Apache (preferably on Linux). Once the administrators are up to speed on the new system, you don’t need to worry about M$ exposing you to security risks unless you pay up (by upgrading). I find Microsoft’s behavior on this issue reprehensible. (Of course, I’m not a big fan of Microsoft in any case.)