Commerce Server Has Critical Flaws

Microsoft Corp. is urging customers using Commerce Server to immediately install a patch for four newly discovered vulnerabilities -- two of them involving critical code execution problems.

Both Commerce Server 2000 and Commerce Server 2002 are vulnerable to critical problems fixed by the patch. Commerce Server grew out of the existing Microsoft Site Server 3.0 and Microsoft Site Server, Commerce Edition, but those older products are not vulnerable because they do not include the features that contain the flaws.

Commerce Server is a Web server tailored for building e-commerce sites. In includes wizards, tools and features for developing, deploying and analyzing usage of e-commerce sites. It is a strategic member of Microsoft's .NET Enterprise Server family, and one of only three products so far that Microsoft has certified for use on its high-end Windows 2000 Datacenter Server operating system.

The most interesting new vulnerability in the bulletin, which can be found at, involves an unchecked buffer in the Profile Service in Commerce Server 2000 but not Commerce Server 2002.

The Profile Service allows a commerce site's users to log on and manage her own profile or research order status. The service is installed, but not enabled, by default. One of the three development reference sites that ships with the product, the Retail Solution Site, leverages the Profile Service.

The unchecked buffer in the Profile Service represents a critical vulnerability because an attacker could use it to gain complete control over a Commerce Server.

Two other moderate vulnerabilities addressed by the patch involve the way Commerce Server 2000 interacts with the Office Web Components installer. The other critical vulnerability affects both Commerce Server 2000 and Commerce Server 2002. That problem is a new variant of the ISAPI Filter vulnerability that Microsoft fixed for some other products earlier this year.

The busy Mark Litchfield of Next Generation Security Software Ltd. unearthed the Profile Service and Office Web Components installer vulnerabilities and worked with Microsoft to fix them. Litchfield also recently uncovered high-profile vulnerabilities in the Apache Web server and the Oracle database.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.