Peter Grundl discovered that a script originally included with IIS 3.0 can cause denial of service attacks against IIS 4.0 and 5.0. The script is preserved on the system when an upgrade to IIS 4.0 or 5.0 is performed, even though the script is of no use on those versions of the operation system.
Zuo Lei discovered a new variation of the older .HTR code exposure problem, where fragments of .ASP and other files could potentially be retrieved from the server.
Ptches are avauilable at:
"Note: The patch should only be installed by customers who have a business-critical need for the .HTR functionality. Microsoft recommends that all other customers disable the .HTR functionality altogether, as discussed in the FAQ.
Note: Customers who choose to install the patch should also strengthen the permissions on the /scripts/iisadmin folder in each web site on the server, and ensure that only administrators can access it."