Users who have delayed patching their Apache Web servers against
the vulnerability reported on Monday have discovered that they
should wait no longer. An exploit to attack the security hole is
now circulating on the Internet, according to Oliver Friedrichs,
director of engineering at SecurityFocus.
The exploit - a tool that makes attacking a vulnerability easier -
was posted to the Bugtraq security e-mail list on Wednesday. Its
existence "makes the possibility of a worm that targets these
(systems) more likely", said Friedrichs.
The vulnerability, announced Monday by Internet Security Systems
and then expanded upon by the Apache Software Foundation, could
allow an attacker to take control of an affected Web server.
A flaw in the way Apache handles uploads could allow an attacker to
send a specially formed request to the server and cause it to deny
service to legitimate users or take the system over, both groups
said.
Almost two-thirds of the world's Web servers use Apache, according
to data from Web server monitoring firm Netcraft.
CERT/CC (Computer Emergency Response Team/Co-ordination Centre), a
US government-funded computer security body located at the Carnegie
Mellon University, and Internet Security Systems both updated their
advisories on the vulnerability after the release of the exploit,
urging users to patch their systems.
Despite the presence of an exploit, SecurityFocus has not "seen
increased attack activity" focused at Apache systems, Friedrichs
said.
SecurityFocus monitors the networks of over 9,000 companies in more
than 145 countries for security data and then aggregates it to
create a picture of global, regional and industry-specific Internet
security.
Friedrichs said there is usually a one to two-week period between
vulnerability announcements and attacks.
Though the exploit released on Wednesday only attacks Apache
installations running on the OpenBSD operating system, "it's not a
monumental task for someone to modify it (to work with other
operating systems)", he said.
Users should patch their systems immediately and check with their
vendors for more information, Friedrichs said.
"People should be making the patching of their Apache servers a
high priority," he said.