Summary
The MS03-051 bulletin addresses two new security vulnerabilities in Microsoft FrontPage Server Extensions, the most serious of which could enable an attacker to run arbitrary code on a user's system.
The first vulnerability exists because of a buffer overrun in the remote debug functionality of FrontPage Server Extensions.
This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual Interdev.
An attacker who successfully exploited this vulnerability could be able to run code with IWAM_machinename account privileges on an affected system,
or could cause FrontPage Server Extensions to fail.
The second vulnerability is a Denial of Service vulnerability that exists in the SmartHTML interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content.
An attacker who successfully exploited this vulnerability could cause a server running Front Page Server Extensions to temporarily stop responding to requests.
Solution
Microsoft has released a patch to correct these issues Download locations for this patch
http://www.microsoft.com/technet/security/bulletin/MS03-051.mspx Note: This update replaces the security updates contained in the following bulletins: MS01-035 and MS02-053.
Severity
Classification
-
CVE CVE-2003-0822, CVE-2003-0824 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ISA Server 2000 and Proxy Server 2.0 Internet Content Spoofing (888258)
- Microsoft IE Developer Tools WMITools and Windows Messenger ActiveX Control Vulnerability (2508272)
- Microsoft Comctl32 Integer Overflow Vulnerability (2864058)
- Microsoft .NET Framework Remote Code Execution Vulnerability (2484015)
- Bluetooth Stack Could Allow Remote Code Execution Vulnerability (951376)