Proof-of-concept code first was published Monday on exploit repository Milw0rm, prompting US-CERT to issue an alert the following day.
In a post on the Microsoft Security Response Center blog, Alan Wallace, senior communications manager, said the flaw affects IIS versions 5.0, 5.1 and 6.0 that are connected to the internet. He added that the software giant is not aware of any active attacks or customer impact.
But he conceded that in-the-wild exploits are possible considering the code was publicly posted before Microsoft learned about the bug.
"The vulnerability was not responsibly disclosed to Microsoft and may put customers at risk," Wallace said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
Microsoft, in the advisory, suggests three workarounds that it encourages customers to implement.
Jason Miller, security team leader for patch management firm Shavlik Technologies, said administrators should immediately identify potentially vulnerable FTP servers.
"In addition, they should be looking for all FTP servers, not just production FTP servers," he said in a statement.
However, Miller said if organizations have properly secured their servers -- by not allowing untrusted FTP users to be granted "write access" -- the vulnerability should not affect them.