Multiple 'critical' holes have been discovered in Microsoft's IIS web server that could allow a malicious hacker to remotely gain control of a machine.

Microsoft has released a pack of 10 patches for the holes and is advising users to apply them as a matter of urgency. The flaws range from 'mild' to 'critical' and allow an intruder either to crash or take control of a web server.

The most serious problem concerns a buffer overflow where a hacker could crash a machine with multiple identical repeated commands and then run arbitrary code. IIS versions 4, 5, 5.1 and those in beta test are all vulnerable.

Websites running dynamic active server page scripts on IIS are particularly at risk, the security bulletin said.

But a number of security websites and mailing lists are reporting problems applying the patches, and security experts are warning users to take precautions.

"Install the patch, but be careful because there may be a number of issues, so back everything up first," said Mark Read, network security analyst at MIS Corporate Defence Solutions.

He also advised users to turn off unused functions in IIS. "IIS comes with an awful lot of features, a lot of which are unused, so switch them off, particularly the Internet Server API filter."

Stuart Okin, Microsoft UK's chief security officer, told vnunet.com that the bundling of fixes, and a proactive approach to notifying users, is part of the company's new security processes.

"One of the big demands from customers is if we can roll these patches up, it is easier for them. This is a change in our processes," he said.

"We have mobilised all technical account managers for our enterprise customers, and 10,000 professional and premier IIS customers are being notified. It is part of the evolving process."