The flaw can be exploited to let an attacker take control of an older IIS (Internet Information Services) 5.0 server running on Windows 2000, provided the hacker has some way of creating an FTP (File Transfer Protocol) directory on the server. Attack code that exploits the bug was

Other IIS users could also be hit with a denial of service (DoS) attack, thanks to a posted to the Milw0rm Web site on Thursday.

This new code could be used to launch a DoS attack against IIS 5.0, 5.1, 6.0 and 7.0, and could affect users running IIS on Windows XP and Windows Server 2003, Microsoft said. For the attack to work, however, the server needs to be running the FTP service, and the attacker must be able to read files on the system.

Microsoft on the issue late Thursday, saying it was starting to see "limited attacks that use this exploit code."

That generally means that only a handful of attacks have been spotted. Other security vendors contacted Friday said they had not seen the IIS bug being used in attacks.