Saying that an Internet Information Server exploit is <A HREF="http://www.eweek.com/article2/0,1895,2141587,00.asp?kc=EWKNLNAV060507STR2">due to a feature, not a flaw,</A> Microsoft has published exploit code for the flaw but no workaround or patch. (Microsoft has removed the exploit code since this story first posted, saying that it was posted inadvertently.)
The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.