FrontPage flaw places servers in jeopardy

Microsoft warned Web site administrators on Wednesday that a flaw in its FrontPage extensions could allow an attacker to take control of their servers or cause the computers to seize up.

In its 53rd advisory for the year, the software giant said a vulnerability in the SmartHTML interpreter could be exploited to cause a denial-of-service attack on the Web server if the computer had FrontPage Server Extensions 2000 running. For FrontPage Server Extensions 2002, the flaw could result in the attacker running the code of their choice, essentially taking control of the server.

"If a request for a certain type of Web file is made in a particular way...(it could cause) the SmartHTML interpreter to cycle endlessly, consuming all the server's CPU availability," according to Microsoft's advisory.

The company urged administrators to apply the patch for the problem or run the Internet Information Server lockdown tool, a security application that disables many of the potentially dangerous functions in Microsoft's IIS Web server.

Despite launching its Trustworthy Computing initiative in January, the software giant has racked up more than 70 vulnerabilities outlined in 53 advisories this year. Last week, Microsoft revealed three flaws in its Java virtual machine software.

The same day, the government unveiled the National Strategy for Securing Cyberspace. While the strategy urged companies and security researchers to solve vulnerability issues quickly and discretely, it didn't highlight software companies' problems in eliminating such problems.

Microsoft credited Digital Defense Services for finding the problem.