SPI Labs and NSFocus have discovered multiple holes in IIS. Two denial of service conditions exist that can allow an attacker to cause IIS to stop responding. One Cross site scripting issue exists in the 302 redirection pages, and one buffer overflow that allows command execution as the webserver user. The buffer overflow requires the user to have upload ability, and Server Side Include permissions.

Microsoft advisory

Fix:
To apply this patch run windows update and install patch "Q811114:"