In Microsoft Security Bulletin MS02-053, the company warns users of FrontPage Server Extensions 2002 and 2000 that they are vulnerable and should patch immediately. Users of previous versions "may, or may not" be affected by these security defects, because earlier versions are no longer supported and haven't been tested for this vulnerability. The flaw is within Microsoft's SmartHTML Interpreter, which provides support for Web forms and dynamic content.
According to the advisory, issued late Wednesday, users running FrontPage Server extensions 2000 are susceptible to a denial-of-service attack. Because of the flaw, the attacker could cause most CPU usage to be consumed until the Web service is restarted. Those running extensions used in FrontPage 2002 face an even more damaging vulnerability: The way the flaw works in that version creates a buffer overrun, so attackers potentially could run applications of their choice and do whatever they wish on the server.
If the Web server is static, Microsoft says the IIS Lockdown Tool disables the SmartHTML Interpreter. FrontPage Server Extensions are installed by default on Internet Information Services versions 4.0, 5.0, and 5.1, but can be removed.
For patches and more information, Microsoft's bulletin MS02-53 can be found at www.microsoft.com/security.