Microsoft on Wednesday admitted to three serious new security vulnerabilities, one of which could allow attackers to seize control of Web sites utilizing Internet Information Services (IIS), the company's Web server. IIS currently runs over one-third of all Web sites on the Internet, though it has a larger percentage of the market for corporate Web sites. Microsoft has issued a patch for this vulnerability, which affects the IIS versions in Windows NT and 2000, but not XP.
Two other vulnerabilities affect Microsoft's Internet Explorer (IE) and MSN Messenger applications; both are described as "critical." The IE vulnerability, which was announced last week, but was recently found to be more serious than initially expected, affects versions 5.01, 5.5, and 6.0 of the product, as well as Proxy Server 2.0 and ISA Server 2000. The MSN Messenger vulnerability is actually fixed by a patch that was released in May, but could allow attackers to run programs on the user's PC. This vulnerability also affects MSN Chat and Exchange Messenger.
End users can upgrade MSN Messenger through Auto Update or Windows Update. For server-based patches, please refer to the Microsoft Security Web site.
