Well it would seem that most exploit developers have taken aim at the Microsoft Windows Office suite of applications for bug hunting. They have indeed found a rich harvest. It is actually a pleasant surprise that so far IIS 6 has not fallen to remote code execution, or at least not publicly anyways. There have been some rumors gathering as of late over just that, but I have not heard anything concrete, and certainly not seen any POC. I will be most curious to see when and if IIS 6 does fall to RCE. Either way, Microsoft still has a long ways to go before secure coding takes a front-seat in their coding life-cycle. Much like they did with IIS 6, perhaps they should always hire high priced talent such as Dave Aitel, HD Moore, Mike Sues, or other such talent to vet their code trees. Would likely save them a lot of embarassment.