IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it.
Some customers have reported issues of application pools unable to start after applying KB 973917 on Windows Server 2003 to add support for Extended Protection in Windows Authentication. The root cause of this issue is machines being in an unsupported state where SP1 version of IIS binaries exist on an SP2 installation. Product support has released KB 2009746 on how to resolve this issue. The summary of the resolution is to reinstall SP2 to such machines to update all IIS binaries to the SP2 version.
We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple layers for it to be usable from IIS. An update to a previous Microsoft Advisory 973811 now adds the IIS fixes to the list of components that support Extended Protection. This non-security update is provided for IIS 6.0 on Windows Server 2003 and above.