More on IIS WebDAV Vulnerability

Previously it had been suggested that ACLs within IIS 6.0 could be used to help mitigate against exploitation of the Unicode vulnerability that exists within IIS. However it seems that it could actually be possible to use the vulnerability to bypass those ACLs too and gain access to any protected resources, find out more here.

Additionally it seems that the vulnerability affects IIS 5.0 and IIS 5.1, alas with IIS 5 WebDAV is enabled by default according to Microsoft. Additionally Todd Manning over at BreakingPoint labs has conducted a bunch of tests to determine which Unicode encodings can be used with this vulnerabiltiy to bypass any authentication, you can seem more on this here.

The best advice until Microsoft get round to releasing a fix is disable WebDAV on any IIS 5, IIS 5.1 and IIS 6.0 machine.