The flaw was made public Thursday, when security researcher Nikolaos Rangos of the vulnerability to the Full Disclosure security mailing list. By sending a specially crafted HTTP request to the server he was able to view and upload files on the machine. The attack takes advantage of a bug in the way that Microsoft's software processes Unicode tokens, he said.
The vulnerability , the U.S. Computer Emergency Response Team said Monday.
In a statement, Microsoft said it hadn't heard of any such attacks, but that it was investigating Rangos' claims. "We are working on a security advisory to provide customers with guidance," the company said Monday.
The bug affects IIS 6 users who have enabled the WebDAV (Web-based Distributed Authoring and Versioning) protocols, used to share documents via the Web.