Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net

http://www.textraccaldron.com Published on 11th July 2006
 * Microsoft Security Bulletin MS06-034 - Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
 * Microsoft Security Bulletin MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure (917283)

I am a bit confused why MS06-034 is marked with 'Remote Code Execution' since if we follow the same logic, then MS should also release an advisory called "Asp.Net allows Remote Code Execution"

Research questions

 * where are the vulnerabilities (any volunteers to reverse engineer the patches?)
 * MS06-034 should be on asp.dll
 * MS06-033 should be on the config files?
 * can the other dislosed vulnerabilites be expoited from an ASP.NET environment, namely
 * Vulnerability in Server Service Could Allow Remote Code Execution (917159)
 * Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

Dinis Cruz