IBM Corp. has issued an advisory warning users of a new tool that lets malicious hackers exploit a previously known vulnerability in the company's WebSphere Commerce Suite software.
The tool, developed by two Danish hackers, lets an intruder decipher encrypted merchant and user passwords to gain unauthorized administrative access to e-commerce sites based on the affected IBM software. IBM said the tool has since been removed from the Internet.
IBM first issued a warning about the vulnerability in November 1999, according to a company spokesman. The alert warned users about possible vulnerabilities arising from insecurely coded macros and using a default merchant key that shipped with the software. A macro is usually a saved sequence of specific orders or instructions to the operating system or an application, which can be recalled with a single key stroke.
IBM issued a patch that addressed the macro issue back in 1999, and it urged users to customize their merchant keys to eliminate any threats arising from the second vulnerability.
In the advisory, IBM said any sites that hadn't applied the patch or were still using the default merchant key were vulnerable to the attacks that exploited the new tool. The advisory lists all of the affected versions of the software as well as advice on how users can find out if their sites have been compromised.
"This is an old story with a little bit of a twist," the spokesman said. "If customers have taken both those actions we have been urging them to take since 1999, they don't have to worry."
Those who haven't implemented either measure need to do so to eliminate any exposure, he added.