Alert: Release of MS02-010 Security Bulletin - AuthFilt in Commerce Server 2000

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 02/22/02

Date:         Thu, 21 Feb 2002 21:22:50 -0500
From: Russ <Russ.Cooper@RC.ON.CA>

Affects Microsoft Commerce Server 2000

Vulnerability is a buffer overrun in the authentication process used by
Commerce Server (via the AuthFilt ISAPI.dll). As such, it can be
exploited to allow arbitrary code to execute on the Commerce Server in
the LocalSystem context (e.g. root access).

Authfilt is not used by any other process than Commerce Server, even
though it is used on IIS when Commerce Server is installed (iows, this
isn't an IIS issue, its an issue with the ISAPI filter used only by
Commerce Server).

Microsoft rates this issue as Critical for Internet/Intranet services,
doesn't apply to clients.

Russ - NTBugtraq Editor

Delivery co-sponsored by VeriSign - The Internet Trust Company
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!