Critical Flaws Affront Microsoft’s FrontPage

Microsoft is warning system administrators Thursday morning that a new
vulnerability is lurking in a FrontPage extention tool known as a SmartHTML
interpreter that could be exploited to allow an attacker to cause a
denial-of-service attack or run the code of their choice their
servers.


Microsoft has said that FrontPage Server Extensions (FPSE) 2000 and 2002 are
both vulnerable, although the flaw affects each version differently.


With FPSE 2000, the flaw, discovered by Maninder Bharadwaj of the Digital
Defense Services division of Digital GlobalSoft, could cause most CPU
availability to be consumed until the Web service is restarted. An attacker
could use this vulnerability to conduct a denial of service attack against
an affected Web server. With FPSE 2002, the same flaw in the interpreter
causes a buffer overrun, potentially allowing an attacker to run code of the
his choice.


Because Microsoft has the policy of no longer supporting older versions, it
stated that versions released prior to 2000 may or may not be affected by
these vulnerabilities.


FPSE is a set of tools that can be installed on a FrontPage-based Web site,
which serves to allow authorized personnel to manage the server, as well as
to add functions that are frequently used by Web pages, such as search and
forms support.


The vulnerability lies in the SmartHTML interpreter, which supports certain
types of dynamic Web content.


A security bulletin issued by Microsoft explains the flaw, stating: “If a
request for a certain type of web file is made in a particular way, it could
have the effect on a web server using FrontPage Server Extensions 2000 of
causing the SmartHTML interpreter to cycle endlessly, consuming all of the
server’s CPU availability and preventing the server from performing useful
work. On a web server using FrontPage Server Extensions 2002, this same type
of request could have the effect of causing a buffer overrun and potentially
allowing an attacker to run malicious code on that server.”


Microsoft has designated the vulnerability as critical on both versions of
FPSE. Since FPSE installs by default as part of IIS 4.0, 5.0 and 5.1, the
company says the easiest way to mend the problem is to apply a patch.
Microsoft released a patch this morning, which is available here for FPSE 2002 on all platforms, here for
FPSE 2000 on NT4, and at Windows update for systems
running FPSE on Windows XP or 2000.


The issuance of warnings and patches is becoming a weekly ritual for
the Redmond-based software giant. Despite a $100 million
effort
to improve security and the installation of a new security
czar
, Microsoft has already this year announced over 70 vulnerabilities
in 53 separate advisories.


To date, the company has released even more vulnerabilities than it had at
this time in 2001, and looks to be on track to outpace last year’s overall
number of vulnerabilities.


Microsoft could not be reached for comment this morning.

News Around the Web