[ISN] FrontPage flaw puts servers in jeopardy

From: InfoSec News (isnat_private)
Date: Wed Sep 25 2002 - 23:35:53 PDT

  • Next message: InfoSec News: "[ISN] Start-up banks on hack-proof Linux"

    By Robert Lemos 
    Staff Writer, CNET News.com
    September 25, 2002, 6:00 PM PT
    Microsoft warned Web site administrators on Wednesday that a flaw in
    its FrontPage extensions could allow an attacker to take control of
    their servers or cause the computers to seize up.
    In its 53rd advisory for the year, the software giant said a
    vulnerability in the SmartHTML interpreter could be exploited to cause
    a denial-of-service attack on the Web server if the computer had
    FrontPage Server Extensions 2000 running. For FrontPage Server
    Extensions 2002, the flaw could result in the attacker running the
    code of their choice, essentially taking control of the server.
    "If a request for a certain type of Web file is made in a particular
    way...(it could cause) the SmartHTML interpreter to cycle endlessly,
    consuming all the server's CPU availability," according to Microsoft's
    The company urged administrators to apply the patch for the problem or
    run the Internet Information Server lockdown tool, a security
    application that disables many of the potentially dangerous functions
    in Microsoft's IIS Web server.
    Despite launching its Trustworthy Computing initiative in January, the
    software giant has racked up more than 70 vulnerabilities outlined in
    53 advisories this year. Last week, Microsoft revealed three flaws in
    its Java virtual machine software.
    The same day, the government unveiled the National Strategy for
    Securing Cyberspace. While the strategy urged companies and security
    researchers to solve vulnerability issues quickly and discretely, it
    didn't highlight software companies' problems in eliminating such
    Microsoft credited Digital Defense Services for finding the problem.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 02:00:18 PDT