Microsoft KB Archive/280322

= FP2000: MS00-100: Patch for Malformed Web Form Submission Security Vulnerability =

Article ID: 280322

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft FrontPage 2000 Server Extensions

-



This article was previously published under Q280322



SYMPTOMS
Microsoft has released a patch that eliminates a security vulnerability in a component that is included with Microsoft Internet Information Server (IIS). The vulnerability could potentially allow an attacker to prevent an affected Web server from providing useful service.

The FrontPage Server Extensions are included with and installed by default as part of IIS 4.0 and 5.0. The most familiar functions of FrontPage Server Extensions allow Web site and content management; however, FrontPage Server Extensions also provide browse-time support functions. Included in the latter category are functions that help process Web forms that users submit. A vulnerability exists in one of these functions. If a malicious user levied a specially malformed form submission to an affected server, this would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FrontPage Server Extensions administrative or content management functions.

To resume normal operation on an IIS 4.0 server, the operator must restart the service. In contrast, if an IIS 5.0 server was attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any Web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted.

NOTE: In keeping with best practices, Microsoft recommends that the FrontPage Server Extensions be turned off if not needed.



Microsoft Windows 2000
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The following files are available for download from the Microsoft Download Center:

English Language Version

Arabic Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Czech Language Version

Danish Language Version

Dutch Language Version

Finnish Language Version

French Language Version

German Language Version

Greek Language Version

Hebrew Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Norwegian Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Portuguese Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Turkish Language Version

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.   Date        Time      Version     Size     File name -  11/10/2000  10:21 pm  4.0.2.4701  593,976  Fp4autl.dll

Microsoft Windows NT 4.0
To resolve this problem, obtain the individual package referenced below or obtain the Windows NT 4.0 Security Rollup Package. For additional information on the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)

The following file is available for download from the Microsoft Download Center:

Download Q280322i.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.   Date        Time      Version     Size     File name --  11/10/2000  10:21 pm  4.0.2.4701  593,976  Fp4autl.dll

NOTE: This patch can be applied to systems that are running Windows NT 4.0 Service Pack 5 or 6a.

Microsoft Windows NT Server version 4.0, Terminal Server Edition
FrontPage Server Extensions are included as part of the Windows NT 4.0 Option Pack which is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for FrontPage Server Extensions have been provided as part of the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package



Windows 2000
Microsoft has confirmed that this problem may cause a degree of security vulnerability in FrontPage 2000 Server Extensions.

Windows NT 4.0 and Windows NT Server version 4.0, Terminal Server Edition
Microsoft has confirmed that this problem may cause a degree of security vulnerability in FrontPage 2000 Server Extensions.



MORE INFORMATION
For more information on this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-100.mspx

Additional query words: security_patch front page secbulletin secfix frontpage kbtsesrp KbSECVulnerability KbSECHack

Keywords: kbhotfixserver kbqfe kbbug kbfix kbgraphxlinkcritical kbsecurity kbwin2000presp2fix KB280322

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.