Microsoft Plugs Holes in BizTalk Server

Microsoft has issued patches to address two vulnerabilities
that affect its BizTalk Server 2000 and version 2002 software, the enterprise application integration server that enables communications over intranet and extranet environments.

The first vulnerability affects the HTTP Receiver function found only in BizTalk Server 2002. This feature allows users/partners/etc. to trade information or documents through the HTTP format, which is the primary transfer protocol defined by the SOAP standard used in all Web Services. Microsoft said a buffer overrun exists in the component used to receive HTTP’d documents and could result in attackers being able to execute code of their choice on the BizTalk Server.

The buffer overrun vulnerability could cause Microsoft’s IIS Web Server
software to crash, giving an intruder the ability to gain system privileges. The attacker could then manipulate the system and execute code of their choice. In other words, a hackers could add, delete or otherwise modify data that BizTalk is helping to run.

The second vulnerability affects both Microsoft BizTalk Server 2000 and
BizTalk Server 2002 by way of the software’s Document Tracking and
Administration (DTA) Web interface, which administrators use to manage

“A SQL injection vulnerability exists in some of the pages used by DTA
that could allow an attacker to send a crafted URL query string to a
legitimate DTA user,” Microsoft said Wednesday. “If that user were to then
navigate to the URL sent by the attacker, he or she could execute a
malicious embedded SQL statement in the query string.”

Both patches are considered “important” for BizTalk Server 2002 based on Microsoft’s scale of severity although Microsoft deemed the severity rating for BizTalk server 2000
as a “moderate” problem.

To be sure, system administrators using Microsoft BizTalk 2000 Server and BizTalk
2002 Server are still urged to download patches in order to correct the issue. The
BizTalk Server 2002 patch can be downloaded here and the patch for BizTalk
Server 2000 is here.

The patch follows last week’s alert by Microsoft, in which
critical vulnerabilities were detected and patched in the flagship Internet Explorer browser and Outlook Express email client.

News Around the Web