September 25, 2002 Security Advisory http://www.microsoft.com/technet/security/bulletin/MS02-053.asp Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096) Originally posted: September 25, 2002 Summary Who should read this bulletin: Web site administrators using Microsoft® FrontPage Server Extensions Impact of vulnerability: Buffer overrrun or denial of service Maximum Severity Rating: Critical Recommendation: Web site administrators should apply the patch or ensure that the SmartHTML Interpreter is not available on the server. Affected Software: - Microsoft FrontPage Server Extensions 2000 - Microsoft FrontPage Server Extensions 2002 - Microsoft Windows 2000 (shipped FPSE 2000) - Microsoft Windows XP (shipped FPSE 2000) Technical description: The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server Extensions (FPSE), and provides support for web forms and other FrontPage-based dynamic content.  The interpreter contains a flaw that could be exposed when processing a request for a particular type of web file, if the request had certain specific characteristics.  This flaw affects the two versions of FrontPage Server Extensions differently.  On FrontPage Server Extensions 2000, such a request would cause the interpreter to consume most or all CPU availability until the web service was restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected web server.   On FrontPage Server Extensions 2002, the same type of request could cause a buffer overrun, potentially allowing an attacker to run code of his choice. Mitigating factors: - The IIS Lockdown Tool, if used to configure a static web server, disables the SmartHTML Interpreter.  Servers on which this has been done could not be affected by the vulnerability - FrontPage Server Extensions install on IIS 4.0, 5.0 and 5.1 by default, but can be uninstalled if desired.  Servers on which this has been done could not be affected by the vulnerability. Vulnerability identifier: CAN-2002-0692 Recommendation: download and install the software patch from Microsoft, available at the following locations: * Microsoft FrontPage Server Extensions 2002 for all platforms. http://download.microsoft.com/download/FrontPage2002/fpse1002/1/W98NT42KMeXP/EN-US/fpse1002.exe * Microsoft FrontPage Server Extension 2000 for NT4. http://download.microsoft.com/download/fp2000fd2000/Patch/1/W9XNT4Me/EN-US/fpse0901.exe * Microsoft FrontPage Server Extensions 2000 for Windows: use Windows Update * Microsoft FrontPage Server Extensions 2000 for Windows 2000: use Windows Update