MS Warns of Commerce Server Flaw

Microsoft is warning their Commerce Server software customers
that they should immediately apply a security patch to fix a number of flaws in the program that could allow hackers to take control of the server.

The warning applies to System administrators running Microsoft’s Commerce
Server 2000 or Commerce Server 2002.

Four vulnerabilities were discovered in Commerce Server 2000, with one also
affecting users of Commerce Server 2002. Each of the vulnerabilities could
allow a hacker to run code of his or her choice.

Both versions of the software are vulnerable to a new variant of the ISAPI
Filter vulnerability, which was originally patched in February. The flaw lies in the ISAPI filter , known on the software as the AuthFilter, that provides support for a variety
of authentication methods. A security vulnerability results because
AuthFilter contains an unchecked buffer in a section of code
that handles certain types of authentication requests.

“An attacker who successfully exploited this vulnerability could gain
complete ability to take any desired action on the server, including
changing web pages, reformatting the hard drive or adding new users to the
local administrators group,” stated the warning.

According to Microsoft, the new variant is exactly the same as the original
one, except for the specific way in which it could be exploited.

The other flaw labeled as “critical” by the Redmond, Wash.-based software giant
is in the Profile Service area, where one manages profile information. The
area contains an unchecked buffer in a section of code that handles certain
types of API calls. The Profile Service could be exploited by
an attacker who could run code with local system privileges or cause the
system to fail by entering certain data in a field on the Web site.

The two other flaws that have been identified by the company are considered
only to be moderate threats, because for an attack to succeed, the attacker
would need to have credentials to log on to the Commerce Server 2000
computer on which the OWC package installer is kept.

The latest patches come on the heels of a tough security year for Microsoft
that has seen a slew of security advisories spelling out bugs on the SQL
, Internet explorer and
in the Remote
Access Service (RAS) phonebook
implementation on Windows NT 4.0, Windows
2000 and Windows XP.

The patches are available for download for the Commerce Server 2000 here and for
Commerce Server 2002 here.

News Around the Web