Microsoft has issued security bulletin MS02-053 for a vulnerability in FrontPage Server Extensions 2000 and 2002. The SmartHTML Interpreter (shtml.dll), which is included in all FPSE editions, has a buffer overflow that can be exploited by a malformed HTTP request. For systems running FPSE 2000, this could allow an attacker to consume all of a server’s CPU resources and create a denial of service condition; in FPSE 2002, an attacker could potentially execute arbitrary code with system privileges. The server extensions are installed by default with IIS 4.0 through 5.1, though the IIS Lockdown Tool disables the SmartHTML Interpreter. Microsoft has given this flaw a ‘Critical’ severity rating for Internet Servers – patches for NT4, 2000, and XP are available in the advisory.

(N-Stalker Security Force)