Another security hole has been found in IIS and this time it's a biggie. There's a buffer overflow in the handling of .HTR files that can potentially allow arbitrary code to be run on the server. Microsoft's advice is to remove the script mapping for this file type. But then you've already removed all script mappings you don't explicitly use anyway haven't you. The hole was found by eEye using a scanning tool that has some interesting AI software built into it. They've also released a working version of the exploit so you can test if your server is vulnerable.