Critical Flaws Affront Microsoft's FrontPage

The software giant warns that a vulnerability in its FrontPage Extension Server could allow an attacker to crash your servers or run any code.
Posted September 26, 2002

Michael Chait

Microsoft is warning system administrators Thursday morning that a new vulnerability is lurking in a FrontPage extention tool known as a SmartHTML interpreter that could be exploited to allow an attacker to cause a denial-of-service attack or run the code of their choice their servers.

Microsoft has said that FrontPage Server Extensions (FPSE) 2000 and 2002 are both vulnerable, although the flaw affects each version differently.

With FPSE 2000, the flaw, discovered by Maninder Bharadwaj of the Digital Defense Services division of Digital GlobalSoft, could cause most CPU availability to be consumed until the Web service is restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected Web server. With FPSE 2002, the same flaw in the interpreter causes a buffer overrun, potentially allowing an attacker to run code of the his choice.

Because Microsoft has the policy of no longer supporting older versions, it stated that versions released prior to 2000 may or may not be affected by these vulnerabilities.

FPSE is a set of tools that can be installed on a FrontPage-based Web site, which serves to allow authorized personnel to manage the server, as well as to add functions that are frequently used by Web pages, such as search and forms support.

The vulnerability lies in the SmartHTML interpreter, which supports certain types of dynamic Web content.

A security bulletin issued by Microsoft explains the flaw, stating: "If a request for a certain type of web file is made in a particular way, it could have the effect on a web server using FrontPage Server Extensions 2000 of causing the SmartHTML interpreter to cycle endlessly, consuming all of the server's CPU availability and preventing the server from performing useful work. On a web server using FrontPage Server Extensions 2002, this same type of request could have the effect of causing a buffer overrun and potentially allowing an attacker to run malicious code on that server."

Microsoft has designated the vulnerability as critical on both versions of FPSE. Since FPSE installs by default as part of IIS 4.0, 5.0 and 5.1, the company says the easiest way to mend the problem is to apply a patch. Microsoft released a patch this morning, which is available here for FPSE 2002 on all platforms, here for FPSE 2000 on NT4, and at Windows update for systems running FPSE on Windows XP or 2000.

The issuance of warnings and patches is becoming a weekly ritual for the Redmond-based software giant. Despite a $100 million effort to improve security and the installation of a new security czar, Microsoft has already this year announced over 70 vulnerabilities in 53 separate advisories.

To date, the company has released even more vulnerabilities than it had at this time in 2001, and looks to be on track to outpace last year's overall number of vulnerabilities.

Microsoft could not be reached for comment this morning.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.