Microsoft urges users to patch Commerce Server

Microsoft Corp. is urging users of its Commerce Server software for electronic commerce Web sites to immediately apply a security patch to fix flaws that could allow an attacker to gain control of the server.

Four vulnerabilities exist in the Commerce Server products; all affect Commerce Server 2000, while one affects Commerce Server 2002, Microsoft said Wednesday. All four could allow an attacker to run code on the server, Microsoft of Redmond, Washington, said in a security advisory. (

Both versions of Commerce Server are vulnerable to a variant of a buffer overrun flaw that was patched in February. The flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default. An attacker could exploit the flaw by sending a malformed request to the server.

Further exposing systems running Commerce Server 2000 is a flaw in the Profile Service, a feature that allows users to manage their own profile and view the status of their order. Entering certain data in a field on the Web site could cause the system to fail, or run code with local system privileges, Microsoft said.

The Profile Service and AuthFilter flaws could be exploited by anyone via the Web. Installing URLscan, a software tool recommended by Microsoft, will make it “difficult if not impossible” for an attacker to take over a system, although the server can still be caused to fail by sending it a malformed request, Microsoft said.

Microsoft also detailed two other flaws, less easy to exploit, in the Office Web Components package installer of Commerce Server 2000. The Office Web Components are used by Commerce Server Business Desk, the Web-based site management tool of Commerce Server 2000.

An attacker would need to have credentials to log on to the computer running Commerce Server 2000 to be able to exploit the Office Web Components installer flaws, which mitigates the severity, Microsoft said.

Earlier versions of Microsoft’s software for electronic commerce Web sites, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, Microsoft said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now