Saturday, May 15, 2021

Critical Flaws Affront Microsoft’s FrontPage

Microsoft is warning system administrators Thursday morning that a new
vulnerability is lurking in a FrontPage extention tool known as a SmartHTML
interpreter that could be exploited to allow an attacker to cause a
denial-of-service attack or run the code of their choice their
servers.

Microsoft has said that FrontPage Server Extensions (FPSE) 2000 and 2002 are
both vulnerable, although the flaw affects each version differently.

With FPSE 2000, the flaw, discovered by Maninder Bharadwaj of the Digital
Defense Services division of Digital GlobalSoft, could cause most CPU
availability to be consumed until the Web service is restarted. An attacker
could use this vulnerability to conduct a denial of service attack against
an affected Web server. With FPSE 2002, the same flaw in the interpreter
causes a buffer overrun, potentially allowing an attacker to run code of the
his choice.

Because Microsoft has the policy of no longer supporting older versions, it
stated that versions released prior to 2000 may or may not be affected by
these vulnerabilities.

FPSE is a set of tools that can be installed on a FrontPage-based Web site,
which serves to allow authorized personnel to manage the server, as well as
to add functions that are frequently used by Web pages, such as search and
forms support.

The vulnerability lies in the SmartHTML interpreter, which supports certain
types of dynamic Web content.

A security bulletin issued by Microsoft explains the flaw, stating: “If a
request for a certain type of web file is made in a particular way, it could
have the effect on a web server using FrontPage Server Extensions 2000 of
causing the SmartHTML interpreter to cycle endlessly, consuming all of the
server’s CPU availability and preventing the server from performing useful
work. On a web server using FrontPage Server Extensions 2002, this same type
of request could have the effect of causing a buffer overrun and potentially
allowing an attacker to run malicious code on that server.”

Microsoft has designated the vulnerability as critical on both versions of
FPSE. Since FPSE installs by default as part of IIS 4.0, 5.0 and 5.1, the
company says the easiest way to mend the problem is to apply a patch.
Microsoft released a patch this morning, which is available here for FPSE 2002 on all platforms, here for
FPSE 2000 on NT4, and at Windows update for systems
running FPSE on Windows XP or 2000.

The issuance of warnings and patches is becoming a weekly ritual for
the Redmond-based software giant. Despite a $100 million
effort
to improve security and the installation of a new security
czar
, Microsoft has already this year announced over 70 vulnerabilities
in 53 separate advisories.

To date, the company has released even more vulnerabilities than it had at
this time in 2001, and looks to be on track to outpace last year’s overall
number of vulnerabilities.

Microsoft could not be reached for comment this morning.

Similar articles

Latest Articles

How IBM has Changed...

Think is IBM’s big annual conference, and again this year, it was digital. I’m noticing a sharp quality difference in shows like this where...

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...