News

Microsoft warns of "critical" FrontPage security flaw

A flaw in Microsoft's FrontPage Server Extensions (FPSE) could enable an attacker to run malicious code or instigate a denial of service attack, according to a Microsoft security warning.

The problem affects FrontPage Server Extensions 2000 and FrontPage Server Extensions 2002. Previous versions of this software are no longer supported, and may or may not be affected by these vulnerabilities, Microsoft said in the advisory.

Microsoft categorised the security hole as critical on Internet servers, moderate for intranet servers and no threat to client systems.

Microsoft advised Web site administrators to apply a patch, or to ensure that the SmartHTML Interpreter is not available on the server. This can be done using the IIS Lockdown Tool. FPSE installs automatically on Internet Information Server (IIS) versions 4.0, 5.0 and 5.1, and can be uninstalled manually.

The vulnerability occurs because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all processor availability on a Web server using FrontPage Server Extensions 2000.

The flaw acts differently in FrontPage Server Extensions 2002, resulting in a buffer overrun if the server receives a request for a particular type of Web file. That could allow an attacker to run malicious code on that server, Microsoft said.

FrontPage Server Extensions is a set of tools that can be installed on a Web site built with Microsoft's FrontPage development software. The tools allow authorised personnel to manage the server and also add functions that are frequently used by Web pages, such as search and forms support.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy