Commerce Server Has Critical Flaws

Microsoft Corp. is urging customers using Commerce Server to immediately install a patch for four newly discovered vulnerabilities -- two of them involving critical code execution problems.

Both Commerce Server 2000 and Commerce Server 2002 are vulnerable to critical problems fixed by the patch. Commerce Server grew out of the existing Microsoft Site Server 3.0 and Microsoft Site Server, Commerce Edition, but those older products are not vulnerable because they do not include the features that contain the flaws.

Commerce Server is a Web server tailored for building e-commerce sites. In includes wizards, tools and features for developing, deploying and analyzing usage of e-commerce sites. It is a strategic member of Microsoft's .NET Enterprise Server family, and one of only three products so far that Microsoft has certified for use on its high-end Windows 2000 Datacenter Server operating system.

The most interesting new vulnerability in the bulletin, which can be found at, involves an unchecked buffer in the Profile Service in Commerce Server 2000 but not Commerce Server 2002.

The Profile Service allows a commerce site's users to log on and manage her own profile or research order status. The service is installed, but not enabled, by default. One of the three development reference sites that ships with the product, the Retail Solution Site, leverages the Profile Service.

The unchecked buffer in the Profile Service represents a critical vulnerability because an attacker could use it to gain complete control over a Commerce Server.

Two other moderate vulnerabilities addressed by the patch involve the way Commerce Server 2000 interacts with the Office Web Components installer. The other critical vulnerability affects both Commerce Server 2000 and Commerce Server 2002. That problem is a new variant of the ISAPI Filter vulnerability that Microsoft fixed for some other products earlier this year.

The busy Mark Litchfield of Next Generation Security Software Ltd. unearthed the Profile Service and Office Web Components installer vulnerabilities and worked with Microsoft to fix them. Litchfield also recently uncovered high-profile vulnerabilities in the Apache Web server and the Oracle database.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Azure AD Enhancements Bring Expanded Support for Auto-Provisioned SaaS Apps

    Microsoft announced a number of Azure Active Directory enhancements this month.

  • What's Behind Microsoft's Sudden Teams Push?

    As Skype for Business slowly gets phased out and Slack's enterprise dominance becomes less of a sure thing, the time is right for Microsoft to focus its marketing energies on its upstart collaboration tool.

  • Microsoft Releases PowerShell 7 Preview 3

    Microsoft announced on Wednesday that the PowerShell 7 Preview 3 scripting solution is now available.

  • SQL Server 2019 Release Candidate Now Available

    Microsoft on Wednesday announced the release of SQL Server 2019 release candidate (RC).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.