MS Warns of Commerce Server Flaw
Microsoft
The warning applies to System administrators running Microsoft's Commerce
Server 2000 or Commerce Server 2002.
Four vulnerabilities were discovered in Commerce Server 2000, with one also
affecting users of Commerce Server 2002. Each of the vulnerabilities could
allow a hacker to run code of his or her choice.
Both versions of the software are vulnerable to a new variant of the ISAPI
Filter vulnerability, which was originally patched in February. The flaw lies in the ISAPI filter
According to Microsoft, the new variant is exactly the same as the original
one, except for the specific way in which it could be exploited.
The other flaw labeled as "critical" by the Redmond, Wash.-based software giant
is in the Profile Service area, where one manages profile information. The
area contains an unchecked buffer in a section of code that handles certain
types of API
The two other flaws that have been identified by the company are considered
only to be moderate threats, because for an attack to succeed, the attacker
would need to have credentials to log on to the Commerce Server 2000
computer on which the OWC package installer is kept.
The latest patches come on the heels of a tough security year for Microsoft
that has seen a slew of security advisories spelling out bugs on the SQL
Server, Internet explorer and
in the Remote
Access Service (RAS) phonebook implementation on Windows NT 4.0, Windows
2000 and Windows XP.
The patches are available for download for the Commerce Server 2000 here and for
Commerce Server 2002 here.
is warning their Commerce Server software customers
that they should immediately apply a security patch to fix a number of flaws in the program that could allow hackers to take control of the server.