This is the second all-encompassing IIS patch released by the software giant, a company that's come under heat for repeated security breaches in its operating systems, Internet browser, and IIS applications over the years.
The 10 vulnerabilities, found by Microsoft technicians, eEye Digital Security, Entrust Technologies, @Stakem and several private individuals, run the gamut of the hacker's handbook. Four are considered "critical" vulnerabilities that demand immediate fixes, the bulletin states.
From buffer overrun bugs to denial-of-service vulnerabilities, the widespread patch repairs breaches that can be found in IIS 4.0, IIS 5.0, and IIS 5.1. According to Microsoft officials, beta versions of its .Net Server (build 3605) software, using IIS 6.0, already have the fixes in place, but it warned against companies using the product on their intranets.
"By definition, beta products are incomplete, they're intended for evaluation purposes and shouldn't be used in production systems," the bulletin reported.
ASP is an oft-maligned technology many developers consider the main reason for Microsoft's software security woes. Unfortunately for Microsoft and its many customers, it's the linchpin behind the company's Internet/intranet and Web services, allowing Web servers to dynamically generate Web applications.
Some believe, however, it is unfair to single Microsoft out for the current security issues. Last October, the research firm Meta Group found it was partly the responsibility of systems administrators to keep up to date with patches before hackers find the affected systems.
The patch can be found here.