Even for IIS 5 and 6 users, there's another mitigating factor: "Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access," Microsoft said.

Although nobody has yet reported real-world attacks using Rangos's code, security vendor Symantec that "many systems will be vulnerable across the internet and that in-the-wild attacks will occur."

Another security company, Secunia, rates the flaw

Last May, Web analytics firm Netcraft counted 2.8 million sites still using the IIS 5 software, but it's not clear how many of them would have the FTP set-up that would make them vulnerable to this attack.