Microsoft BizTalk Server 2000/2002 Have Security Bugs

The company issued a pair of patches for the enterprise application server, which is used to exchange documents internally over intranets and messages with trading partners over extranets.

One of the vulnerabilities affects only BizTalk Server 2002. A buffer overflow flaw exists in the component that receives documents in HTTP format, the primary protocol used to transfer documents over Web services. Attackers could gain entry to the server and run the code of their choice on it.

A second flaw exists in both BizTalk Server 2000 and BizTalk Server 2002 and could allow attackers to submit specially crafted URL queries to a user, which could then execute a malicious embedded SQL statement in the string.

Microsoft has released patches for both vulnerabilities, tagging the BizTalk Server 2000-only flaw as "moderate," and the other flaw as "important"--the third- and second-most severe rankings, respectively, in Microsoft's four-level security scheme. Fixes can be downloaded from the Microsoft TechNet Web site.

*This story courtesy of Techweb.com.