I have to admit that FTP has always been a second-class citizen for the IIS security team, and we usually put all our efforts into the HTTP platform. There has always been a notion that our old FTP server (FTP 6.0-) was never really popular due to lack of features. With the recent FTP vulnerabilities it became evident that we were wrong on multiple counts, and so it seems like this is a good time to do a securing your FTP server 101 blog.
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post. Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities:
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well.