The long-running dispute over when to release vulnerability information is escalating into a bitter turf war among several security companies, all of which claim to have their customers best interests at heart.
The flap began Monday when news of a serious vulnerability in the popular Apache open-source Web server software hit security mailing lists. Security vendor Internet Security Systems Inc. released an advisory early Monday warning of the flaw. The ISS advisory also included a piece of code that the companys X-Force research team said would remedy the problem. There was no formal patch available for the flaw.
The Apache Software Foundation, which maintains the Apache software, then released its own advisory, which not only criticized ISS for releasing its advisory before a patch was ready but also claimed that ISS patch didnt fix the vulnerability.
The CERT Coordination Center, which acts as a kind of clearinghouse for vulnerability data and often coordinates its efforts with security researchers and vendors, published a bulletin late Monday as well.
Several security researchers apparently found the Apache flaw virtually simultaneously, and thats where the problem arose. While ISS was preparing its bulletin, Next Generation Security Software Ltd., which had also discovered the problem, contacted CERT and the Apache Foundation, alerting them to the problem. The Apache developers said they wanted to coordinate the release of the bulletin with CERT, to which NGSS agreed, according to a note posted to the Bugtraq mailing list by David Litchfield, a well-known security researcher and co-founder of NGSS.
“Of course, with a premature release from ISS many are now left vulnerable without a patch,” Litchfield wrote.
Marc Maiffret, chief hacking officer of eEye Digital Security Inc., of Aliso Viejo, Calif., also joined the fray, saying that the early release of the vulnerability data will inevitably lead to active exploitation of the flaw by crackers.
“Since there has actually been many chunked encoding vulnerabilities released lately, and exploits (for win32), it only makes sense that it will take no time for someone to develop an exploit for this Apache Win32 chunked overflow, and then start using that to break into systems,” he wrote in a reply to Litchfields message.
The Apache flaw lies in the way that the server handles data transmissions of unknown size. Typically, these transmissions are broken into “chunks” for easier handling. But Apaches HTTP server misinterprets the size of the chunks, which leads to an overrun of the heap memory, according to an advisory published Monday by Internet Security Systems Inc.s X-Force research team.
The vulnerability can be exploited remotely by way of a carefully crafted invalid request to the server, and the flawed functionality is enabled by default. Exploiting the flaw could either lead to a denial of service on the machine or the execution of malicious code.
An attacker would only be able to execute code on 64-bit Unix systems and Windows machines, according to Apache. Exploiting the vulnerability on 32-bit Unix machines would crash the Apache HTTP server.
The Apache Software Foundations Apache Server Project, which maintains the open-source HTTP server, also issued a bulletin warning that all versions of Apache 1.3 are vulnerable, as are copies of version 2 up to 2.0.39.
- Review: Covalent Gets Apache Enterprise Ready
- Review: Apache 2.0 Beats IIS at Its Own Game
- IBM Apache Avoids Most Security Woes
- Flaw Puts SQL Servers at Risk
- More Security Coverage