Apache Update: Two days till web meltdown

IT managers have only "a couple of days" before crackers produce an exploit capable of attacking over 50 million web servers left open by the latest Apache security flaw.

Speaking exclusively to vnunet.com, Mark Cox, founding member of the Apache Software Foundation, warned: "We have to assume that serious and intelligent crackers will produce an exploit that targets this vulnerability in a couple of days. Then it's only a little while before it filters down to the script kiddies.

"Nobody should sit around and think that this issue will not be exploited or could not be exploited. They should immediately patch servers.

"This is the first time that a remote exploit has affected Apache, certainly during the life of version 1.3, which is at least four years old. We've designed the best security that we can, but obviously there can be mistakes."

Cox stressed the seriousness of the security flaw. "On some platforms in some circumstances this can be very serious," he said. "Remotely running arbitrary code and denial of service attacks are serious."

According to Cox the most serious manifestation of the vulnerability will be on Unix platforms. However, he added that, for 64-bit Unix installations, the level of risk depends principally on actual operating system platforms because of variations in how their respective stacks operate.

He indicated that Apache had been aware of the security flaw for some time and that the Computer Emergency Response Team was contacted last week to develop vulnerability lists for all vendors.

Cox added that Apache had been forced to publicise the exploit before a full set of patches was developed because ISS released its incomplete workaround early.

"ISS released its advisory early and jumped the gun," he said. "The company says it found the vulnerability independently and gave us only two hours warning before publishing its advisory.

"What ISS should have done is contact the Apache security team before publishing. They said that they couldn't find anyone at Apache, but I don't think that they tried very hard.

"Any political problems between vendors could have been solved here if ISS had followed responsible disclosure procedures."

However, Cox added that Apache did not want a flame war to continue, stressing that the most important thing was for companies to patch vulnerable servers.

The latest information on this security issue is available from Apache's website.