| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 | ||||
 |
|
|||
 | ||||
|
|
|
||
|
||||||||||||||||||||||||||||||||||||||
 NEWSMicrosoft finds 'critical' FrontPage security flaw By David Legard September 26, 2002 5:13 am PT A FLAW IN the SmartHTML Interpreter contained in Microsoft's FrontPage Server Extensions (FPSE) could enable an attacker to run malicious code or to instigate a denial-of-service attack, Microsoft said in a security advisory late Wednesday.
Microsoft categorized the security hole as critical on Internet servers, moderate for intranet servers, and no threat to client systems. Microsoft advised Web site administrators to apply the available patch, or to ensure that the SmartHTML Interpreter is not available on the server by using a tool called the IIS Lockdown Tool. FPSE installs automatically on IIS (Internet Information Server) Versions 4.0, 5.0, and 5.1, and can be uninstalled manually. The vulnerability occurs because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all processor availability on a Web server using FrontPage Server Extensions 2000. The flaw acts differently in FrontPage Server Extensions 2002, resulting in a buffer overrun if the server receives a request for a particular type of Web file, along with some specific parameters. That could allow an attacker to run malicious code on that server, Microsoft said. FrontPage Server Extensions is a set of tools that can be installed on a Web site built with Microsoft's FrontPage development software. The tools allow authorized personnel to manage the server and also add functions that are frequently used by Web pages, such as search and forms support. David Legard is a Singapore correspondent for the IDG News Service, an InfoWorld affiliate. SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
