Apache at Center of Security Controversy -- Redmondmag.com

Apache at Center of Security Controversy

By Scott Bekker
06/25/2002

For once, there was a firestorm in security and Microsoft wasn't at the center of it.

The problem involved the Apache Web server, an archrival to Microsoft's Internet Information Server/Services Web server. A vulnerability disclosed last week allowed a denial-of-service attack and even made remote code execution possible on some operating system platforms.

The Apache Software Foundation, which oversees development of the ubiquitous open source Web server, considers the problem high risk.

Mark Litchfield, the well-known Oracle vulnerability hunter, actually discovered the problem on an Apache server running on Windows -- but the vulnerability was quickly found to apply to Apache on several platforms, according to the foundation.

The foundation also found itself in a hurry to post a bulletin about the problem and a fix in the form of new versions of the Web server when Internet Security Systems Inc. posted its own patch code for the problem first. Researchers at ISS' X-Force lab apparently happened upon the chunk encoding problem around the same time as Litchfield of Next Generation Security Software Ltd.

The foundation criticized ISS for the early release, then later said that the ISS patch failed to fix part of the problem.

Later in the week, the group Gobbles Security posted exploit code in several public places, taking the controversy to a whole new level. A first exploit targeted the FreeBSD platform, and a second exploit hit Solaris and Linux, with Gobbles promising to deliver more exploits.

To be sure, Microsoft IIS has had its own ongoing battles with buffer overflows and code execution. Apache has an excellent reputation for security and has suffered from relatively few high-profile security problems.

Apache regularly has double the market share of IIS in terms of sites hosted on each Web server in the monthly surveys published by Netcraft..

Information on securing Apache servers is available at http://httpd.apache.org/.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.