MS FrontPage flaw allows attackers to get in

September 30, 2002

Microsoft warned Web site administrators on that a new flaw in its FrontPage extensions could allow an attacker to attackers to seize control of Web servers or crash the system.

Microsoft issued an advisory and a patch for the problem Wednesday.

According to the advisory the vulnerability is in the SmartHTML Interpreter in FPSE 2000 and 2002 and involves the way the interpreter handles requests for some Web files. The interpreter is designed to provide support for Web forms and other dynamic Web content.

In FPSE 2000, a malformed request would could cause most CPU usage to be consumed until the Web service is restarted.. For FrontPage Server Extensions 2002, the flaw could result in a buffer overrun and allow an attacker to run any code on the machine.

Microsoft categorized the security hole as 'critical' on Internet servers, 'moderate' for intranet servers and 'no threat' to client systems.

Microsoft advised website administrators to apply the available patch or to ensure that the SmartHTML Interpreter is not available on the server by using the IIS Lockdown Tool, a security application that disables many of the potentially dangerous functions in the IIS web server.

FrontPage Server Extensions are installed by default on IIS (Internet Information Services) versions 4.0, 5.0, and 5.1.