Re: IIS - not affected
Is that because it doesn't need to be, or what?
It's because Microsoft has its own SSL/TLS stack (SChannel, part of SSPI). Microsoft products don't use OpenSSL.
This is a vulnerability in a specific implementation of TLS. It is not a vulnerability in the TLS protocol, or in a cipher suite, which might affect multiple implementations. So it's not like the BEAST, CRIME, Lucky Thirteen, or RC4 attacks of recent memory.
IIS is not affected by Heartbleed for the same reason it wasn't affected by the Apple key-substitution bug or the GnuTLS "we skipped verifying the certificates and don't test our code" bug.