A flaw in the latest version of the Apache Web server that could
allow an attacker to take control of a user's system, has resulted
in the release of an upgrade to the software.
The vulnerability is considered high risk, and users are being
urged install version 2.0.40 of the Apache Web server or implement
a work-around to immediately.
PivX Solutions, a US network security consultancy, disclosed the
vulnerability soon after an upgrade to Apache Version 2.0, which
fixes the hole, was made available on the Web.
The hole could allow an attacker to access all the files on an
Apache 2.0 Web server remotely, execute them, pass malicious code,
and even shut down the system completely, said Geoff Shively, who
goes by the title "chief hacking officer" at PivX Solutions.
"This is the same type of vulnerability that made Code Red, Code
Blue and Nimda possible," Shively said. "If someone wanted to make
a worm for this it would take the same route."
PivX Solutions has released a basic work-around that will disable
the problem, the company said. In addition, the Apache Software
Foundation has made available a new version of the software, which
plugs the hole. Both the work-around and the upgrade are available
online at
www.apache.org/dist/httpd/.
The vulnerability affects Apache systems running on all versions of
Windows as well as OS/2 and NetWare, according to PivX. The Apache
Software Foundation said that it affected all default installations
of the Apache Web server.
Unix and other variant platforms appear unaffected, Apache
claimed.
The firm discovered the flaw on 3 August and four days later began
working with the Apache Software Foundation on a fix. "We waited
until today to release the advisory so Apache could make the fix,"
Shively said.