Commerce Server Has Critical Flaws

Microsoft Corp. is urging customers using Commerce Server to immediately install a patch for four newly discovered vulnerabilities -- two of them involving critical code execution problems.

Both Commerce Server 2000 and Commerce Server 2002 are vulnerable to critical problems fixed by the patch. Commerce Server grew out of the existing Microsoft Site Server 3.0 and Microsoft Site Server, Commerce Edition, but those older products are not vulnerable because they do not include the features that contain the flaws.

Commerce Server is a Web server tailored for building e-commerce sites. In includes wizards, tools and features for developing, deploying and analyzing usage of e-commerce sites. It is a strategic member of Microsoft's .NET Enterprise Server family, and one of only three products so far that Microsoft has certified for use on its high-end Windows 2000 Datacenter Server operating system.

The most interesting new vulnerability in the bulletin, which can be found at, involves an unchecked buffer in the Profile Service in Commerce Server 2000 but not Commerce Server 2002.

The Profile Service allows a commerce site's users to log on and manage her own profile or research order status. The service is installed, but not enabled, by default. One of the three development reference sites that ships with the product, the Retail Solution Site, leverages the Profile Service.

The unchecked buffer in the Profile Service represents a critical vulnerability because an attacker could use it to gain complete control over a Commerce Server.

Two other moderate vulnerabilities addressed by the patch involve the way Commerce Server 2000 interacts with the Office Web Components installer. The other critical vulnerability affects both Commerce Server 2000 and Commerce Server 2002. That problem is a new variant of the ISAPI Filter vulnerability that Microsoft fixed for some other products earlier this year.

The busy Mark Litchfield of Next Generation Security Software Ltd. unearthed the Profile Service and Office Web Components installer vulnerabilities and worked with Microsoft to fix them. Litchfield also recently uncovered high-profile vulnerabilities in the Apache Web server and the Oracle database.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.