Microsoft finds ‘critical’ FrontPage security flaw

A flaw in the SmartHTML Interpreter contained in Microsoft Corp.’s FrontPage Server Extensions (FPSE) could enable an attacker to run malicious code or to instigate a denial of service attack, Microsoft said in a security advisory late Wednesday.

The flaw affects FrontPage Server Extensions 2000 and FrontPage Server Extensions 2002. Previous versions of this software are no longer supported, and may or may not be affected by these vulnerabilities, Microsoft said in the advisory.

Microsoft categorized the security hole as critical on Internet servers, moderate for intranet servers and no threat to client systems.

Microsoft advised Web site administrators to apply the available patch, or to ensure that the SmartHTML Interpreter is not available on the server by using a tool called the IIS Lockdown Tool. FPSE installs automatically on IIS (Internet Information Server) versions 4.0, 5.0 and 5.1, and can be uninstalled manually.

The vulnerability occurs because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all processor availability on a Web server using FrontPage Server Extensions 2000.

The flaw acts differently in FrontPage Server Extensions 2002, resulting in a buffer overrun if the server receives a request for a particular type of Web file, along with some specific parameters. That could allow an attacker to run malicious code on that server, Microsoft said.

FrontPage Server Extensions is a set of tools that can be installed on a Web site built with Microsoft’s FrontPage development software. The tools allow authorized personnel to manage the server and also add functions that are frequently used by Web pages, such as search and forms support.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads