Apache at Center of Security Controversy

For once, there was a firestorm in security and Microsoft wasn't at the center of it.

The problem involved the Apache Web server, an archrival to Microsoft's Internet Information Server/Services Web server. A vulnerability disclosed last week allowed a denial-of-service attack and even made remote code execution possible on some operating system platforms.

The Apache Software Foundation, which oversees development of the ubiquitous open source Web server, considers the problem high risk.

Mark Litchfield, the well-known Oracle vulnerability hunter, actually discovered the problem on an Apache server running on Windows -- but the vulnerability was quickly found to apply to Apache on several platforms, according to the foundation.

The foundation also found itself in a hurry to post a bulletin about the problem and a fix in the form of new versions of the Web server when Internet Security Systems Inc. posted its own patch code for the problem first. Researchers at ISS' X-Force lab apparently happened upon the chunk encoding problem around the same time as Litchfield of Next Generation Security Software Ltd.

The foundation criticized ISS for the early release, then later said that the ISS patch failed to fix part of the problem.

Later in the week, the group Gobbles Security posted exploit code in several public places, taking the controversy to a whole new level. A first exploit targeted the FreeBSD platform, and a second exploit hit Solaris and Linux, with Gobbles promising to deliver more exploits.

To be sure, Microsoft IIS has had its own ongoing battles with buffer overflows and code execution. Apache has an excellent reputation for security and has suffered from relatively few high-profile security problems.

Apache regularly has double the market share of IIS in terms of sites hosted on each Web server in the monthly surveys published by Netcraft..

Information on securing Apache servers is available at

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.