Apache users urged to upgrade

The creators of Apache Web Server software said Tuesday that all Apache users are potentially affected by security vulnerabilities that were announced yesterday, even as a controversy continues about how the flaws were initially made public.

Mark Cox, a founding member of the Apache Software Foundation, said the vulnerability is caused by a stack buffer overflow, which can overload a server using a distributed denial-of-service attack and cause it to stop responding. In some cases, most notably where Microsoft Corp. Windows servers are running the older Apache Version 1.3 or under some 64-bit Unix operating systems, the flaw could be more serious, potentially allowing an intruder to gain remote access to the server, Cox said. All Apache Web server installs should be upgraded to be safe, he said. Apache said users should keep checking the Web site for the updated code.

Those potential problems, reported in a bulletin late yesterday by the Apache HTTP Server Project, are in contrast to a report earlier in the day by security vendor Internet Security Systems Inc. (ISS) in Atlanta. The Apache HTTP Server Project is the open-source community that created and maintains Apache.

ISS said the vulnerability affects only Windows versions of Apache and was caused by a flawed mechanism meant to calculate the size of "chunked" encoding for Windows 32-bit users. Chunked encoding is part of the HTTP Protocol Specification used for accepting data from Web users, according to ISS. The flaw, affecting Apache Versions 1.x, misinterprets the size of incoming data chunks, which could lead to a signal race, heap overflow, and to exploitation of malicious code, according to ISS.

Cox said that while ISS researchers correctly found part of the problem, they failed to see the whole picture before issuing their own security alert about the vulnerability. As a result, a patch that was also posted by ISS failed to fully fix the problem, he said. "The ISS guys, in their haste, didn't notice all of [the vulnerabilities]," Cox said. Complicating the matter, ISS posted its alert within two hours of notifying the Apache group, which didn't provide adequate time to create a patch before making the vulnerability public, he said. The ISS alert forced engineers in the Apache community to work through the night to provide a fix for the problem.

No reports of attacks on any users due to the vulnerabilities have been reported, Cox said. To repair the flaws, users can upgrade to the newest versions of Apache Web server, which include repairs for the problems. For Version 1.3 users, the latest version is 1.3.25, and for 2.0 users, the latest version is 2.0.39. Version 1.2 is also affected, but is no longer supported and should be upgraded to Version 1.3.

Chris Rouland, director of ISS's X-Force research and development group, today defended his company's action in making the vulnerability public when it posted its own patch. He continued to insist that the vulnerabilities aren't related.

"It turns out there's another vulnerability we weren't aware of," he said. "I think that's where the confusion lay."

Rouland also challenged claims from Apache that the patch provided by ISS failed to fix the vulnerability. "We tested the fix and it worked," he said. Apache couldn't have tested the ISS patch, he said, because the company didn't provide the code for the exploit to Apache. "In our eyes, we fixed it," he said.

Others in the security community said they were surprised that ISS issued its alert so quickly.

Dave Wreski of in Upper Saddle River, N.J., said the ISS patch apparently wasn't enough to resolve the problems, essentially giving potential hackers a headstart in creating attacks before a true fix was created. Wreski said that while early flaw announcements have been common for other applications, he believes this is the first time an early alert was given in the Apache community before a fix was established.

Greg Shipley, a network security consultant at Neohapsis Inc. in Chicago, said it was a "boo-boo" on the part of ISS to issue the alert early. "It shows how important coordination is between the researcher and the organization it affects," he said.

The CERT Coordinating Center at Carnegie Mellon University in Pittsburgh has also posted an alert about the vulnerabilities.