FrontPage flaw puts servers in jeopardy

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-959577.html

By Robert Lemos 
Staff Writer, CNET News.com
September 25, 2002, 6:00 PM PT

Microsoft warned Web site administrators on Wednesday that a flaw in
its FrontPage extensions could allow an attacker to take control of
their servers or cause the computers to seize up.

In its 53rd advisory for the year, the software giant said a
vulnerability in the SmartHTML interpreter could be exploited to cause
a denial-of-service attack on the Web server if the computer had
FrontPage Server Extensions 2000 running. For FrontPage Server
Extensions 2002, the flaw could result in the attacker running the
code of their choice, essentially taking control of the server.

"If a request for a certain type of Web file is made in a particular
way...(it could cause) the SmartHTML interpreter to cycle endlessly,
consuming all the server's CPU availability," according to Microsoft's
advisory.

The company urged administrators to apply the patch for the problem or
run the Internet Information Server lockdown tool, a security
application that disables many of the potentially dangerous functions
in Microsoft's IIS Web server.

Despite launching its Trustworthy Computing initiative in January, the
software giant has racked up more than 70 vulnerabilities outlined in
53 advisories this year. Last week, Microsoft revealed three flaws in
its Java virtual machine software.

The same day, the government unveiled the National Strategy for
Securing Cyberspace. While the strategy urged companies and security
researchers to solve vulnerability issues quickly and discretely, it
didn't highlight software companies' problems in eliminating such
problems.

Microsoft credited Digital Defense Services for finding the problem.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.