Microsoft warned its users on Tuesday that an exploit has been published for a previously unknown vulnerability in the file transfer protocol (FTP) component of its Internet Information Services (IIS) software.

The stack-overflow flaw allows attackers to remotely exploit servers, if they have the ability as untrusted users to create directories. The security bug can be exploited by writing a long, specially-crafted directory name to the server, Microsoft stated in its advisory. The vulnerability affects IIS 5.0 for Windows 2000, IIS 5.1 for Windows XP and IIS 6.0 for Windows Server 2003.

"If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs," members of Microsoft Security Response Center (MSRC) wrote on the group's blog.

Microsoft offered three potential workaround strategies. IIS administrators can turn off the FTP service, if it is not being used. A second alternative is to prevent the creation of any new directories through access control lists (ACLs). Finally, the IIS settings can be used to prevent anonymous users from creating new directories.

IIS 7.0 running on Windows Vista or Windows Service 2008 are not affected by the vulnerability, Microsoft stated.

If you have tips or insights on this topic, please contact SecurityFocus.