FPSE: Potential Buffer Overrun Vulnerability in Visual Studio RAD (Remote Application Deployment)
The information in this article applies to:
Microsoft FrontPage 2000 Server Extensions
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services version 5.0
Microsoft Internet Information Server 4.0 and Internet Information Services 5.0 (IIS) include the Microsoft FrontPage Server Extensions to facilitate the development of Web sites and Web-based applications. The FrontPage Server Extensions include an optional sub-component for development servers called Visual Studio RAD (Remote Application Deployment). If you install this optional component on a computer during the installation of Microsoft Windows 2000, you are prompted with the following message:
This sub-component allows Visual InterDev users to register and unregister programming components on the IIS server. This sub-component contains an unchecked buffer in a section that processes input information.
You have chosen to install Visual InterDev RAD Remote Deployment Support. You should do this only on development servers, because RAD lets authors register server components and modify the COM+ settings, affecting the state of the running server. If you install RAD Remote Deployment Support, you should regularly review the permissions settings of your FrontPage webs to ensure that no unwanted authors have obtained authoring privileges.
Although it is unlikely, an attacker could potentially exploit this vulnerability against any server that has the affected sub-component installed, by connecting to a Web session on the server and passing a specially malformed packet to the system.
A more detailed explanation and a supported fix are available in the following Microsoft Security Bulletin, MS01-035:
For additional information about security topics, browse to the following Microsoft TechNet Security Web site:
Additional query words:
front page FP FPSE
Keywords : kbdta
Issue type : kbinfo
Technology : kbiisSearch kbFrontPageSearch kbFrontPageServXSearch kbiis500 kbiis400 kbFrontPage2000Search kbFrontPage2000ServX