Microsoft urges users to patch Commerce Server

Microsoft Corp. is urging users of its Commerce Server software for electronic commerce Web sites to immediately apply a security patch to fix flaws that could allow an attacker to gain control of the server.

Four vulnerabilities exist in the Commerce Server products; all affect Commerce Server 2000, while one affects Commerce Server 2002, Microsoft said Wednesday. All four could allow an attacker to run code on the server, Microsoft of Redmond, Washington, said in a security advisory. (

Both versions of Commerce Server are vulnerable to a variant of a buffer overrun flaw that was patched in February. The flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default. An attacker could exploit the flaw by sending a malformed request to the server.

Further exposing systems running Commerce Server 2000 is a flaw in the Profile Service, a feature that allows users to manage their own profile and view the status of their order. Entering certain data in a field on the Web site could cause the system to fail, or run code with local system privileges, Microsoft said.

The Profile Service and AuthFilter flaws could be exploited by anyone via the Web. Installing URLscan, a software tool recommended by Microsoft, will make it “difficult if not impossible” for an attacker to take over a system, although the server can still be caused to fail by sending it a malformed request, Microsoft said.

Microsoft also detailed two other flaws, less easy to exploit, in the Office Web Components package installer of Commerce Server 2000. The Office Web Components are used by Commerce Server Business Desk, the Web-based site management tool of Commerce Server 2000.

An attacker would need to have credentials to log on to the computer running Commerce Server 2000 to be able to exploit the Office Web Components installer flaws, which mitigates the severity, Microsoft said.

Earlier versions of Microsoft’s software for electronic commerce Web sites, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, Microsoft said.