Itis been said that thereis no such thing as a completely secure web applicaton. As if to prove that point News.com reports that hackers have released a worm that attacks Apache servers, rendering the server vulnerable to Denial of Service Attacks or creating a izombiei and made to pump out packets in an attack against yet another server. From the News.com article titled "New Apache worm starts to spread":
Security experts are rushing to decode a worm program that exploits a 2-week-old flaw to infect computers running vulnerable versions of the popular open-source Apache Web server application.
The worm is thought to be capable of spreading only to Web servers running the FreeBSD operating system, an open-source variant of Unix, that havenit had a patch applied for the recent flaw. Although few people have reported the worm, it is thought to be infecting vulnerable Web servers worldwide.
"It is spreading," said Domas Mituzas, a systems developer for Baltic information-technology firm Microlink Systems and the first to report the new worm. "It hit us from Poland, and the comments are in Italian, so it could be from any part of the world."
This worm underscores the fact that any system or OS is vulnerable to malicious coding by hackers if itis connected to the Web, though we quickly assert that some systems and OSes seem far more vulnerable than others. With that in mind, Apple has released Security Update July, which includes a patch that fixes the Apache Worm hole. From Apple:
Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system.
Security Update July 2002 can be downloaded through Software Update under System Preferences in OS X or via Appleis Knowledge Base site.
According to the official Apache-ssl.org security advisory, all installations of Apache Web Server software should be at version 1.3.26, which is the version in Appleis Security Update for July. From Apache.org:
Apache Chunked encoding vulnerability CAN-2002-0392
Requests to all versions of Apache 1.3 prior to 1.3.26 can cause various effects ranging from a relatively harmless increase in system resources through to denial of service attacks and in some cases the ability to be remotely exploited.
As Apache-SSL is based on Apache, Apache-SSL is also vulnerable.
Download Apache-SSL 1.3.26+1.48 from the usual places (see http://www.apache-ssl.org/).
Adam Laurie, June 20, 2002.