O-024: Microsoft Buffer Overrun in Microsoft FrontPage Server Extensions

   
REVISION HISTORY:
11/13/03 - CIAC has updated CIAC O-024 to reflect the changes in Microsoft's MS03-051, 
           Technical Details Section on what actions an attacker could take if they 
           were to successfully exploit this vulnerability.

11/17/03 - CIAC has updated CIAC O-024 to reflect the following changes in Microsoft's 
           MS03-051: the affected versions of Microsoft Office; Technical Details 
           section on what actions an attacker could take if they exploit this 
           vulnerability; and in the Workaround section they have removed where 
           customers can use IIS Lockdown Tool to disable FrontPage Server Extensions 
           on an IIS Server.		   
		   
[***** Start MS03-051 *****]

Microsoft Security Bulletin MS03-051   

Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code 
  Execution (813360)
Issued: November 14, 2003 
Version: 1.0

Summary

Who should read this document: Customers using Microsoft® FrontPage Server 
Extensions ®

Impact of vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should install the security update immediately

Security Update Replacement: This update replaces the security updates contained 
in the following bulletins: MS01-035 and MS02-053.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software: 

Microsoft Windows 2000 Service Pack 2, Service Pack 3 
Microsoft Windows XP, Microsoft Windows XP Service Pack 1 
Microsoft Office XP, Microsoft Office XP Service Pack 1, Service Pack 2 
Non Affected Software: 
Microsoft Windows Millennium Edition 
Microsoft Windows NT Workstation 4.0, Service Pack 6a 
Microsoft Windows NT Server 4.0, Service Pack 6a 
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 
Microsoft Windows 2000 Service Pack 4 
Microsoft Windows XP 64-Bit Edition Version 2003 
Microsoft Windows Server 2003 (Windows SharePoint Services) 
Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint Services) 
Microsoft Office System 2003 

Tested Microsoft Windows and Office Components:

Affected Components: 

Microsoft FrontPage Server Extensions 2000 - Download the update 
Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000) – 
Download the update 
Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP) – 
Download the update 
Microsoft FrontPage Server Extensions 2002 - Download the update 
Microsoft SharePoint Team Services 2002 (shipped with Office XP) - 
Download the update 

(To determine what version of FrontPage Server Extension that is installed on your system 
please see the first question in the FAQ Section of this bulletin.)

The software listed above has been tested to determine if the versions are affected. Other 
versions are no longer supported, and may or may not be affected.


Technical Details

Technical description:

This bulletin addresses two new security vulnerabilities in Microsoft FrontPage Server 
Extensions, the most serious of which could enable an attacker to run arbitrary code on a 
user's system.

The first vulnerability exists because of a buffer overrun in the remote debug functionality 
of FrontPage Server Extensions. This functionality enables users to remotely connect to a 
server running FrontPage Server Extensions and remotely debug content using, for example, 
Visual Interdev. An attacker who successfully exploited this vulnerability could be able to 
run code with IWAM_machinename account privileges on an affected system, or could cause 
FrontPage Server Extensions to fail.

The second vulnerability is a Denial of Service vulnerability that exists in the SmartHTML 
interpreter. This functionality is made up of a variety of dynamic link library files, and 
exists to support certain types of dynamic web content. An attacker who successfully 
exploited this vulnerability could cause a server running Front Page Server Extensions to 
temporarily stop responding to requests.

Mitigating factors:

Administrators that have applied Service Pack 4 on Windows 2000 systems are not affected 
by these vulnerabilities 
Windows XP does not have FrontPage Server Extensions installed by default 
Windows NT 4.0 does not have FrontPage Server Extensions installed by default unless you 
have applied Windows NT4.0 Option Pack 

Severity Rating:
****************************************************************
Microsoft FrontPage Server Extensions 2000        Critical 
****************************************************************
Microsoft FrontPage Server Extensions 2000        Critical
(Shipped with Windows 2000)  
****************************************************************
Microsoft FrontPage Server Extensions 2000        Moderate
(Shipped with Windows XP)  
****************************************************************
Microsoft FrontPage Server Extensions 2002        Critical
(shipped with Office XP)  
****************************************************************
Microsoft SharePoint Team Services 2002           Critical 
****************************************************************

The above assessment is based on the types of systems affected by the vulnerability, their 
typical deployment patterns, and the effect that exploiting the vulnerability would have on 
them. 

Vulnerability identifier for the Buffer Overrun vulnerability: CAN-2003-0822

Vulnerability identifier for SmartHTML interpreter vulnerability: CAN-2003-0824

Workarounds

Microsoft has tested the following workarounds that apply across all the vulnerabilities. 
These workarounds help block known attack vectors, however they will not correct the underlying 
vulnerabilities. Workarounds may reduce functionality in some cases; in such cases, the reduction 
in functionality is identified below.

FrontPage Server Extensions administrators can uninstall FrontPage Server Extensions in Add or 
Remove programs 

1.  From the Start button, choose Control Panel. 
2.  Select Add or Remove programs. 
3.  Select Add/Remove Windows Components. 
4.  Select "Internet Information Services (IIS)" and choose "Details…". 
5.  Uncheck "FrontPage 2000 Server Extensions" and choose OK. 
6.  Choose Next in the Windows Components Wizard and choose Finish. 

Impact of workaround:

With FrontPage Server Extensions uninstalled or disabled webpage and server functionality relying 
on them will be unavailable or will not operate as expected.



Security Update Information

Installation platforms and Prerequisites: 

For information about the specific security update for your platform, click the appropriate link: 

Microsoft FrontPage Server Extensions 2000
Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000)
Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP)
Microsoft FrontPage Server Extensions 2002 (Shipped with Office XP)
Microsoft SharePoint Team Services 2002


Acknowledgments

Microsoft http://www.microsoft.com/technet/security/bulletin/policy.asp for working with us to 
protect customers: 

* Brett Moore of Security-Assessment.com for reporting the issue in MS03-051. 

Obtaining other security updates:

Updates for other security issues are available from the following locations: 

Security updates are available from the Microsoft Download Center, and can be most easily 
  found by doing a keyword search for "security_patch". 
Updates for consumer platforms are available from the WindowsUpdate web site 
Updates for Microsoft Office Family products are available from the Office Update web site. 

Support: 

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. 
  There is no charge for support calls associated with security patches.
International customers can get support from their local Microsoft subsidiaries. There is no 
  charge for support associated with security updates. Information on how to contact Microsoft 
  support is available at http://support.microsoft.com/common/international.aspx 

Security Resources: 

The Microsoft TechNet Security Web Site provides additional information about security in 
  Microsoft products. 
Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please 
  see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security 
  updates that have detection limitations with MBSA tool. 
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 
Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy 
the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based 
servers, as well as to desktop computers running Windows 2000 Professional or Windows XP 
Professional.

For information about how to deploy this security patch with Software Update Services, visit the 
following Microsoft Web site:

http://www.microsoft.com/sus/

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information 
about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools 
to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update 
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update 
Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office 
Detection Tool to provide broad support for security bulletin remediation. Some software updates 
may require administrative rights following a restart of the computer.

Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used 
for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated 
Rights Deployment Tool can be used for installation. This provides optimal deployment for updates 
that require explicit targeting using Systems Management Server and administrative rights after the 
computer has been restarted.

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of 
any kind. Microsoft disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft Corporation or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply.

Revisions: 

V1.0 (November 11, 2003): Bulletin published. 
V1.1 November 12, 2003: Updated information on what actions an attacker could take if they 
were to successfully exploit this vulnerability. 
V1.2 November 14, 2003: Updated information on affected versions of Microsoft Office, updated 
information in the workarounds section. 
 
 
[***** End MS03-051 *****]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org