The configuration change is currently available on Microsoft’s Download Center and will be made available later today on Windows Update.

US-CERT notes that the configuration change is a workaround for the IE security hole, rather than a cure. “Disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks,” the agency noted in an update. “This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands.”

Microsoft says the server exploit affected machines running Windows 2000 and IIS 5.0 server that were not fully patched against a bevy of security holes detailed in April, known collectively as MS04-011. The initial version of the patch included bugs that crashed Win2K systems. Microsoft is referring system admins to a knowledgebase article detaling the workarounds and fixes available for affected Win2K machines.