Internet Information Server, as most web servers, support the use of session ID cookies. However, .ASP does not support the creation of secure session cookies. As a result, the same session ID cookies are used for secure (SSL) and non-secure sessions. Under certain circumstances this would allow a malicious user to hijack a users secure session.
Microsoft has released a security advisory, MS00-0080 and the following patches are available;
Internet Information Server 4.0:
Internet Information Server 5.0: