Microsoft's SmartHTML interpreter (shtml.dll) contains a remotely exploitable vulnerability.
shtml.dll is a component of FrontPage Server Extensions. FrontPage Server Extensions allow web developers to add or change content and to manage the web server.
Quoting from MS02-053, "The SmartHTML interpreter, shtml.dll, is part of FPSE, and supports certain types of dynamic web content. For instance, using SmartHTML, a web developer can build a web page that relies on FrontPage features, but not actually have those features embedded within the page until a user requests it."
There are varying impacts depending on the version of FrontPage Server Extensions running on the vulnerable host. If a user is running FrontPage Server Extensions 2000, an attacker can cause denial-of-service conditions on the web server (cause the web server to become unavailable). If a user is running FrontPage Server Extensions 2002, a remote attacker can execute arbitrary code with system privileges on the web server.
Apply a patch.
Maninder Bharadwaj of Digital Defense Services, part of Digital GlobalSoft Ltd., is credited with discovering this vulnerability.
This document was written by Ian A Finlay. It is based on information provided by Microsoft.
|Date First Published:||2002-10-02|
|Date Last Updated:||2002-10-04 20:04 UTC|