MS Warns of Commerce Server Flaw

Microsoft is warning their Commerce Server software customers that they should immediately apply a security patch to fix a number of flaws in the program that could allow hackers to take control of the server.

The warning applies to System administrators running Microsoft's Commerce Server 2000 or Commerce Server 2002.

Four vulnerabilities were discovered in Commerce Server 2000, with one also affecting users of Commerce Server 2002. Each of the vulnerabilities could allow a hacker to run code of his or her choice.

Both versions of the software are vulnerable to a new variant of the ISAPI Filter vulnerability, which was originally patched in February. The flaw lies in the ISAPI filter , known on the software as the AuthFilter, that provides support for a variety of authentication methods. A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests.

"An attacker who successfully exploited this vulnerability could gain complete ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group," stated the warning.

According to Microsoft, the new variant is exactly the same as the original one, except for the specific way in which it could be exploited.

The other flaw labeled as "critical" by the Redmond, Wash.-based software giant is in the Profile Service area, where one manages profile information. The area contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service could be exploited by an attacker who could run code with local system privileges or cause the system to fail by entering certain data in a field on the Web site.

The two other flaws that have been identified by the company are considered only to be moderate threats, because for an attack to succeed, the attacker would need to have credentials to log on to the Commerce Server 2000 computer on which the OWC package installer is kept.

The latest patches come on the heels of a tough security year for Microsoft that has seen a slew of security advisories spelling out bugs on the SQL Server, Internet explorer and in the Remote Access Service (RAS) phonebook implementation on Windows NT 4.0, Windows 2000 and Windows XP.

The patches are available for download for the Commerce Server 2000 here and for Commerce Server 2002 here.