The problem affects FrontPage Server Extensions 2000 and FrontPage Server Extensions 2002. Previous versions of this software are no longer supported, and may or may not be affected by these vulnerabilities, Microsoft said in the advisory.
Microsoft categorised the security hole as critical on Internet servers, moderate for intranet servers and no threat to client systems.
Microsoft advised Web site administrators to apply a patch, or to ensure that the SmartHTML Interpreter is not available on the server. This can be done using the IIS Lockdown Tool. FPSE installs automatically on Internet Information Server (IIS) versions 4.0, 5.0 and 5.1, and can be uninstalled manually.
The vulnerability occurs because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all processor availability on a Web server using FrontPage Server Extensions 2000.
The flaw acts differently in FrontPage Server Extensions 2002, resulting in a buffer overrun if the server receives a request for a particular type of Web file. That could allow an attacker to run malicious code on that server, Microsoft said.
FrontPage Server Extensions is a set of tools that can be installed on a Web site built with Microsoft's FrontPage development software. The tools allow authorised personnel to manage the server and also add functions that are frequently used by Web pages, such as search and forms support.