The vulnerability is considered high risk, and users are being urged install version 2.0.40 of the Apache Web server or implement a work-around to immediately.
PivX Solutions, a US network security consultancy, disclosed the vulnerability soon after an upgrade to Apache Version 2.0, which fixes the hole, was made available on the Web.
The hole could allow an attacker to access all the files on an Apache 2.0 Web server remotely, execute them, pass malicious code, and even shut down the system completely, said Geoff Shively, who goes by the title "chief hacking officer" at PivX Solutions.
"This is the same type of vulnerability that made Code Red, Code Blue and Nimda possible," Shively said. "If someone wanted to make a worm for this it would take the same route."
PivX Solutions has released a basic work-around that will disable the problem, the company said. In addition, the Apache Software Foundation has made available a new version of the software, which plugs the hole. Both the work-around and the upgrade are available online at www.apache.org/dist/httpd/.
The vulnerability affects Apache systems running on all versions of Windows as well as OS/2 and NetWare, according to PivX. The Apache Software Foundation said that it affected all default installations of the Apache Web server.
Unix and other variant platforms appear unaffected, Apache claimed.
The firm discovered the flaw on 3 August and four days later began working with the Apache Software Foundation on a fix. "We waited until today to release the advisory so Apache could make the fix," Shively said.