Rangos' bug can be traced to 2001, the year that the "Code Red" worm slowed Windows-based networks to a crawl, said Zoller, who noted that eight years ago Microsoft patched a path traversal bug in May 2001. "Its resemblance to the IIS Unicode flaw from 2001 was so similar that my jaw first dropped," he said in a blog entry last Saturday. "The bug discovered by Rangos seems to suffer from a similar logic mistake [as MS01-026. Later that year, Microsoft patched other IIS bugs, including the one exploited by Code Red.
This newest flaw, however, is not related to the Code Red vulnerability.
Microsoft's Ness outlined several workarounds that users could take until a patch was available, including disabling WebDAV, in IIE 5, 5.1 and 6. The company did not explicitly promise a patch, but its advisory included boilerplate language -- "Microsoft will take the appropriate action to help protect our customers -- that typically indicates a fix is forthcoming.
The next regularly-scheduled Microsoft patch day is June 9, three weeks from today.