During the Christmas holiday period reports were logged that a zero day vulnerability affected Microsoft Internet Information Services (IIS). Microsoft are taking the matter seriously and their reports show that only specific configurations of IIS are in fact vulnerable to these attacks.
Security firm Secunia reported that the vulnerability is caused by the web server “incorrectly executing ASP code included in a file having multiple extensions separated by ‘;’. This can be exploited to upload and execute ASP code via a third party application using file extensions to restrict uploaded file types. The issue is that IIS can then execute any extension as an Active Server page and many file uploader packages protect the system by checking only the file extension.