Commerce Server Has Critical Flaws

Microsoft Corp. is urging customers using Commerce Server to immediately install a patch for four newly discovered vulnerabilities -- two of them involving critical code execution problems.

Both Commerce Server 2000 and Commerce Server 2002 are vulnerable to critical problems fixed by the patch. Commerce Server grew out of the existing Microsoft Site Server 3.0 and Microsoft Site Server, Commerce Edition, but those older products are not vulnerable because they do not include the features that contain the flaws.

Commerce Server is a Web server tailored for building e-commerce sites. In includes wizards, tools and features for developing, deploying and analyzing usage of e-commerce sites. It is a strategic member of Microsoft's .NET Enterprise Server family, and one of only three products so far that Microsoft has certified for use on its high-end Windows 2000 Datacenter Server operating system.

The most interesting new vulnerability in the bulletin, which can be found at, involves an unchecked buffer in the Profile Service in Commerce Server 2000 but not Commerce Server 2002.

The Profile Service allows a commerce site's users to log on and manage her own profile or research order status. The service is installed, but not enabled, by default. One of the three development reference sites that ships with the product, the Retail Solution Site, leverages the Profile Service.

The unchecked buffer in the Profile Service represents a critical vulnerability because an attacker could use it to gain complete control over a Commerce Server.

Two other moderate vulnerabilities addressed by the patch involve the way Commerce Server 2000 interacts with the Office Web Components installer. The other critical vulnerability affects both Commerce Server 2000 and Commerce Server 2002. That problem is a new variant of the ISAPI Filter vulnerability that Microsoft fixed for some other products earlier this year.

The busy Mark Litchfield of Next Generation Security Software Ltd. unearthed the Profile Service and Office Web Components installer vulnerabilities and worked with Microsoft to fix them. Litchfield also recently uncovered high-profile vulnerabilities in the Apache Web server and the Oracle database.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.