September 26, 2002, 9:06 AM — A flaw in the SmartHTML Interpreter contained in Microsoft Corp.'s FrontPage Server Extensions (FPSE) could enable an attacker to run malicious code or to instigate a denial of service attack, Microsoft said in a security advisory late Wednesday.
The flaw affects FrontPage Server Extensions 2000 and FrontPage Server Extensions 2002. Previous versions of this software are no longer supported, and may or may not be affected by these vulnerabilities, Microsoft said in the advisory.
Microsoft categorized the security hole as critical on Internet servers, moderate for intranet servers and no threat to client systems.
Microsoft advised Web site administrators to apply the available patch, or to ensure that the SmartHTML Interpreter is not available on the server by using a tool called the IIS Lockdown Tool. FPSE installs automatically on IIS (Internet Information Server) versions 4.0, 5.0 and 5.1, and can be uninstalled manually.
The vulnerability occurs because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all processor availability on a Web server using FrontPage Server Extensions 2000.
The flaw acts differently in FrontPage Server Extensions 2002, resulting in a buffer overrun if the server receives a request for a particular type of Web file, along with some specific parameters. That could allow an attacker to run malicious code on that server., Microsoft said.
FrontPage Server Extensions is a set of tools that can be installed on a Web site built with Microsoft's FrontPage development software. The tools allow authorized personnel to manage the server and also add functions that are frequently used by Web pages, such as search and forms support.