With a Friday update of a Security Advisory it issued on Tuesday, Microsoft has expanded its 'word of caution' about a vulnerability in its Internet Information Services (IIS) server software, which houses Web sites.

Microsoft said that while it continues its efforts at working out a security update to fix the IIS vulnerability, the advisory instructions provide for a workaround - like the stalling the different elements of the vulnerable File Transfer Protocol (FTP) service for uploading and downloading files.

While Microsoft had earlier asserted that IIS 7.0 - Windows Vista and Windows Server 2008 - is not vulnerable, it now acknowledged that further proof-of-concept exploits reveal that IIS 5.0, 5.1, 6.0, and 7.0 are all vulnerable to denial-of-service (DOS) attacks.

Going by the recent advisory by Microsoft, the IIS vulnerability could allow miscreants to run arbitrary code on a server using FTP on IIS 5.0, and then unleash a DOS attack using FTP on IIS 5.1, 6.0, and 7.0. However, with the current version 7.5 being unaffected by the vulnerability, Microsoft suggested that IIS 7.0 can be protected by downloading and installing IIS 7.5 on it.

Along with advising IIS users to turn off the FTP service when not in use, Microsoft also disclosed its plans of releasing five "critical" Security Bulletins on Tuesday, September 8 - its customary "patch day" schedule!