MS02-033: Commerce Server 2002 and Commerce Server 2000 security updates

Microsoft has released patches for Commerce Server 2002 and Commerce Server 2000 that include updates for the following security vulnerabilities:

Profile service buffer overrun

This vulnerability results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provides specially malformed data to certain calls that are exposed by the Profile Service can cause the Commerce Server process to fail, or can run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.

• By default, the affected API calls in the Profile Service are not exposed to the Internet. The administrator must set up a Commerce Server site and include Profile Service calls as part of that site.
• The URLScan tool, if deployed by using the default rule set for Commerce Server, makes it difficult if not impossible for an attacker to exploit the vulnerability to run code by significantly limiting the types of data that can be included in a URL. However, it is still possible to conduct denial of service attacks. For more information about the URLScan tool, visit the following Microsoft Web site:
  URLScan Security Tool
  http://technet.microsoft.com/en-us/security/cc242650.aspx
• Best practices for Web site design can prevent this vulnerability from being exposed by limiting user input that can be accepted by input fields.

OWC package buffer overrun

This is a buffer overrun vulnerability in the Office Web Components (OWC) package installer that is used by Commerce Server. An attacker who provides specially malformed data as input to the OWC package installer can cause the process to fail, or can run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.

• For an attack to succeed, the attacker must have credentials to log on to the Commerce Server 2000 computer where the OWC package installer is kept.
• Best practices suggest that unprivileged users not be permitted to interactively log on to business-critical servers. If this recommendation has been followed, unprivileged users do not have access to Commerce Server computers.

OWC package command execution

This is a vulnerability in the Office Web Components (OWC) package installer that is used by Commerce Server. An attacker who invokes the OWC package installer in a particular manner can cause commands to be run on the Commerce Server according to the permissions that are associated with the log on credentials that the attacker uses. This vulnerability only affects Commerce Server 2000.

• For an attack to succeed, the attacker must have credentials to log on to the Commerce Server 2000 computer where the OWC package installer is kept.
• Best practices suggest that unprivileged users not be permitted to interactively log on to business-critical servers. If this recommendation has been followed, unprivileged users do not have access to Commerce Server computers.

New variant of the ISAPI filter buffer overrun

• Although Commerce Server does rely on Internet Information Services (IIS) for its base Web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability.
• The URLScan tool, if deployed by using the default rule set for Commerce Server, makes it difficult if not impossible for an attacker to exploit the vulnerability to run code by significantly limiting the types of data that can be included in a URL. However, it is still possible to conduct denial of service attacks. For more information about the URLscan tool, visit the following Microsoft Web site:
  URLScan Security Tool
  http://technet.microsoft.com/en-us/security/cc242650.aspx
• The ability of an attacker to extend control from a compromised Web server to other computers depends heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high risk that computers in an uncontrolled environment, like the Internet, face by minimizing overall exposure through measures like DMZs, operating with minimal services, and isolating contact with internal networks. Steps like this can limit overall exposure and impede the ability of an attacker to broaden the scope of a possible compromise.
• Although the ISAPI filter is installed by default, it is not loaded on any Web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).

For more information about the previous vulnerability, click the following article number to view the article in the Microsoft Knowledge Base:

Commerce Server 2002

To resolve this problem, install Commerce Server 2002 Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Commerce Server 2000

To resolve this problem, install Commerce Server 2000 Service Pack 3 (SP3). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Commerce Server 2000 Service Pack Service Pack 3 and Commerce Server 2002 Service Pack 1.

For more information about these vulnerabilities, visit the following Microsoft Web site: