Quantcast
Subscribe to magazine

Patch Posted for Apache Hole

Workaround, update available for 'high risk' security flaw in widely-used Web server.

Matt Berger, IDG News Service

  • 0 Yes
  • 0 No

A flaw has been discovered in the newest version of the Apache Web server that could allow an attacker to take control of a user's system, prompting the release Friday of an upgrade to the software.

PivX Solutions, a network security consultancy in Newport Beach, California, disclosed the vulnerability Friday soon after an upgrade to Apache Version 2.0 that fixes the hole was posted. The hole could let an attacker remotely access all the files on an Apache 2.0 Web server, execute them, pass malicious code, and even shut down the system completely, said Geoff Shively, who goes by the title "chief hacking officer" at PivX Solutions.

"This is the same type of vulnerability that made Code Red, Code Blue, and Nimda possible," Shively said. "If someone wanted to make a worm for this it would take the same route."

PivX Solutions has released a basic workaround that will disable the problem, the company said. In addition, the Apache Software Foundation has made available a new version of the software that plugs the hole. Both the workaround and the upgrade are available from the Apache site.

Updates Urged

The vulnerability affects Apache systems running on all versions of Windows as well as OS/2 and NetWare, according to PivX. The Apache Software Foundation added that it affects all default installations of the Apache Web server. Unix and other variant platforms appear unaffected, according to Apache.

It is considered high risk, and users are urged to immediately install version 2.0.40 of the Apache Web server or implement the workaround.

"Some people have been using this attack," Shively said. "There have been some systems affected that we're somewhat aware of."

The firm discovered the flaw on August 3 and four days later began working with the Apache Software Foundation on a fix.

"We waited until today to release the advisory so Apache could make the fix," Shively said.

PivX Solutions also disclosed a second vulnerability in Apache 2.0 Friday, though it was deemed low risk. The second flaw can be used to gather information about an individual Apache Web server, such as who owns it, what operating system it is running on, names of files stored on the server, where it is physically located, as well as other info that would normally be held private, Shively said. The 2.0.40 upgrade also fixes this low-risk flaw, according to Apache.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace