From the doc: 'This is a quick fix to allow .htr files therefore not breaking of functionality such as /iisadmpwd/. Some companies were asking if there was a possible way to fix the .htr hole without removing the .htr ISAPI filter. Here is the fix to do so. The filter patch we created will limit all .htr requests to 255 characters, therefore if someone tries the overflow it will get cut off and will never happen. Also, the IP address of the person trying the overflow is logged. This is a great deal better then the current recommendation from Microsoft to just remove the .htr ISAPI filter.'
ogle.dll