Article ID: 280322
Article Last Modified on 2/22/2007
APPLIES TO
- Microsoft FrontPage 2000 Server Extensions
This article was previously published under Q280322
SYMPTOMS
Microsoft has released a patch that eliminates a security vulnerability in a component that is included with Microsoft Internet Information Server (IIS). The vulnerability could potentially allow an attacker to prevent an affected Web server from providing useful service.
The FrontPage Server Extensions are included with and installed by default as part of IIS 4.0 and 5.0. The most familiar functions of FrontPage Server Extensions allow Web site and content management; however, FrontPage Server Extensions also provide browse-time support functions. Included in the latter category are functions that help process Web forms that users submit. A vulnerability exists in one of these functions. If a malicious user levied a specially malformed form submission to an affected server, this would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FrontPage Server Extensions administrative or content management functions.
To resume normal operation on an IIS 4.0 server, the operator must restart the service. In contrast, if an IIS 5.0 server was attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any Web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted.
NOTE: In keeping with best practices, Microsoft recommends that the FrontPage Server Extensions be turned off if not needed.
RESOLUTION
Microsoft Windows 2000
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The following files are available for download from the Microsoft Download Center:
English Language Version
Arabic Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Czech Language Version
Danish Language Version
Dutch Language Version
Finnish Language Version
French Language Version
German Language Version
Greek Language Version
Hebrew Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Japanese NEC Language Version
Korean Language Version
Norwegian Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Date Time Version Size File name ----------------------------------------------------- 11/10/2000 10:21 pm 4.0.2.4701 593,976 Fp4autl.dll
Microsoft Windows NT 4.0
To resolve this problem, obtain the individual package referenced below or obtain the Windows NT 4.0 Security Rollup Package. For additional information on the SRP, click the article number below to view the article in the Microsoft Knowledge Base:
299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)
The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Date Time Version Size File name ------------------------------------------------------ 11/10/2000 10:21 pm 4.0.2.4701 593,976 Fp4autl.dll
NOTE: This patch can be applied to systems that are running Windows NT 4.0 Service Pack 5 or 6a.
Microsoft Windows NT Server version 4.0, Terminal Server Edition
FrontPage Server Extensions are included as part of the Windows NT 4.0 Option Pack which is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for FrontPage Server Extensions have been provided as part of the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:
317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
STATUS
Windows 2000
Microsoft has confirmed that this problem may cause a degree of security vulnerability in FrontPage 2000 Server Extensions.
Windows NT 4.0 and Windows NT Server version 4.0, Terminal Server Edition
Microsoft has confirmed that this problem may cause a degree of security vulnerability in FrontPage 2000 Server Extensions.
MORE INFORMATION
For more information on this vulnerability, see the following Microsoft Web site:
Additional query words: security_patch front page secbulletin secfix frontpage kbtsesrp KbSECVulnerability KbSECHack
Keywords: kbhotfixserver kbqfe kbbug kbfix kbgraphxlinkcritical kbsecurity kbwin2000presp2fix KB280322