Apache at Center of Security Controversy
- By Scott Bekker
- June 25, 2002
For once, there was a firestorm in security and Microsoft wasn't at the center of it.
The problem involved the Apache Web server, an archrival to Microsoft's Internet Information Server/Services Web server. A vulnerability disclosed last week allowed a denial-of-service attack and even made remote code execution possible on some operating system platforms.
The Apache Software Foundation, which oversees development of the ubiquitous open source Web server, considers the problem high risk.
Mark Litchfield, the well-known Oracle vulnerability hunter, actually discovered the problem on an Apache server running on Windows -- but the vulnerability was quickly found to apply to Apache on several platforms, according to the foundation.
The foundation also found itself in a hurry to post a bulletin about the problem and a fix in the form of new versions of the Web server when Internet Security Systems Inc. posted its own patch code for the problem first. Researchers at ISS' X-Force lab apparently happened upon the chunk encoding problem around the same time as Litchfield of Next Generation Security Software Ltd.
The foundation criticized ISS for the early release, then later said that the ISS patch failed to fix part of the problem.
Later in the week, the group Gobbles Security posted exploit code in several public places, taking the controversy to a whole new level. A first exploit targeted the FreeBSD platform, and a second exploit hit Solaris and Linux, with Gobbles promising to deliver more exploits.
To be sure, Microsoft IIS has had its own ongoing battles with buffer overflows and code execution. Apache has an excellent reputation for security and has suffered from relatively few high-profile security problems.
Apache regularly has double the market share of IIS in terms of sites hosted on each Web server in the monthly surveys published by Netcraft..
Information on securing Apache servers is available at http://httpd.apache.org/.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.