Security Web Digest: New Apache Version Fills Security Holes

Previously undisclosed holes in WebDAV support could allow malicious user to crash server Microsoft names new head of security response ARM to add security features to CPU core Symantec says that PDA viruses will come


The Apache Software Foundation on Wednesday released an updated version of its market-leading Web server software, primarily to patch previously undisclosed security holes. The new version of the software patches several serious vulnerabilities, including one that could allow vandals to crash a server by sending malicious commands to the component Apache uses to execute WebDAV (World Wide Web Distributed Authoring and Versioning) instructions. WebDAV is a set of extensions to the basic HTTP (Hypertext Transfer Protocol) underlying the Web, enabling sites to handle more advanced Web services functions. WebDAV has been the source of numerous other security holes in server software made by Microsoft and others. The free Apache program is the most popular Web server software in use today, employed by 63 percent of all Web sites, according to a recent survey by research firm Netcraft.

Microsoft this week named a new top executive for its Security Response Center, the unit responsible for addressing vulnerabilities in the companys existing products. Kevin Kean, who had been working as a senior group product manager on Windows Server 2003, is taking over for Steve Lipner as head of the unit that issues security bulletins and patches for Microsofts existing products. Lipner is remaining with Microsofts security unit as director of security engineering strategy.

Chip designer ARM will add extensions to its processor core next year that incorporate hardware-based security technologies, the company said Tuesday. Future versions of the companys ARM core for mobile and wireless handset chips will contain protected areas for storage of user authentication keys, and areas of the processor that are off-limits to unauthorized users, said Mary Inglis, director of operating systems and alliances for ARM. Just about all companies in the microprocessor industry are working on hardware-based security features, which free up system resources normally dedicated to security software products, and execute tasks such as random number generation much faster than software. Intel, Via Technologies, and Transmeta among others, have introduced or are working on hardware-based security features for their processors.

Consumer Electronics

Users, analysts and even security companies agree that the threat of PDA viruses is low to nonexistent right now. But that doesnt mean management or users can be complacent said Laura Garcia-Manrique, a Symantec group product manager. The concern about PDA viruses has changed, said Garcia-Manrique, in that in 2000 most of the concern was from users themselves, worried about what could happen to personal devices they had bought for themselves. Now many companies provide them for staff, and IT managers are looking at the effect they have on the network. Hackers will undoubtedly use PDAs to get at PCs and networks in future, Garcia-Manrique said. "Viruses are transmitted using the most popular communication methods, and today thats e-mail. Ten years ago it was floppies. Once the (PDAs) have 802.11 LAN access and direct Internet connections, you get much more information flowing back and forth and the door is much more open."

Apple is clamping down on piracy by imposing restrictions on the way that music downloaded from its iTunes service can be shared. The iTunes service allowed people to listen to almost any music collection that was sharing the same local computer network as they were. But clever iTunes users found a way to extend this local sharing across the Internet using Apples own Rendezvous software. The update for iTunes is intended to close this loophole and limit who can listen to a playlist.