Unpatched flaw could take down Microsoft's IIS server

The attack also works on IIS 6, he said, but because IIS 6 has a defensive measure called "stack cookie protection," the code can only be used to crash IIS 6 running on Windows Server 2003, Rangos said.

Rangos did not notify Microsoft before posting his attack code, so the company has not had much time to work out a fix.