Microsoft has released a patch that addresses a vulnerability that could allow an attacker to, among other things, launch programs. Any site running either Microsoft Internet Information Server (IIS) 4.0 or 5.0 is vulnerable.
As demonstrated in an email by Rain.Forrest.Puppy by using UNICODE values %c0%af and %c1%9c a malicious user could launch arbitrary commands or retrieve directory listings.
Microsoft has released a security bulletin, MS00-0078 warning of the problem. The patch that was included in Microsoft security bulletin MS00-0057 addresses this problem.
For IIS 4.0 visit: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
For IIS 5.0 visit: http://www.microsoft.com/windows2000/downloads/critical/q269862