Microsoft has released a cumulative patch for IIS 4.0 and 5.0. In addition to eliminating virtually all previously identified security vulnerabilities in IIS, it also eliminates several newly discovered ones. These include three denial of service vulnerabilities, one of which is exploited by the Code Red worm, and two vulnerabilities that could enable an attacker with the ability to load low-privilege code on the server to gain higher privileges.
This cumulative security update includes every update released for Internet Information Server (IIS) 5.0, and is discussed in Microsoft Security Bulletin MS01-044. This update addresses four new vulnerabilities: Two security vulnerabilities that could enable a malicious user to temporarily disrupt the service of IIS 5.0. Two security vulnerabilities that could enable a malicious user to gain unauthorized privileges on your Web server. This version is the first release on CNET Download.com.