“Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten release of [IIS] that is thoroughly and publicly tested….Gartner believes that this rewriting will probably not occur before the end of 2002.”
Gartner seems to suffer the common but moronic falacy that new or “completely rewritten” code is somehow less buggy than old code. IIS has been publically tested, for about six years now, on millions of web servers and with thousands of hackers trying to find bugs. Completely rewriting it would just introduce another set of bugs that would take another few years to find. Chances are that nobody on the current IIS team even remembers the bugs they fixed five years ago, even if they were on the team that long ago (unlikely), like their $DATA$ one and adding an extra period to the end of an ASP URL.
Completely rewriting code is a big-time mistake common of immature developers with no real software experience. I would say that “Gartner should know better” but I don't have very high expectations of them. [Joel on Software]