Study: Web more vulnerable now than
ever
By Joris Evers
IDG News
Service, 07/02/02
The recent publication of similar
security vulnerabilities in the two
most-used Web server software products
makes the Web more vulnerable now than
ever, Web server information company
Netcraft Ltd. warned.
With over half of the Internet's Web
servers potentially vulnerable,
conditions are "ripe for an epidemic of
attacks" against sites running
Microsoft Internet Information
Server (IIS) or the open-source Apache
Web server software, Netcraft of Bath,
England, said in its monthly Web Server
survey released Monday.
Microsoft increased the severity
rating of a flaw in IIS Versions 4.0 and
5.0, the Web server components of
Windows NT 4.0 and Windows 2000 to
"critical" in response to what it called
"a significant change in the threat
environment" in a revised security
bulletin also issued on Monday by the
Redmond, Wash., software giant.
The flaw in IIS lies in software that
supports HTR scripting, an older,
according to Microsoft "largely
obsolete" scripting language. However,
Netcraft found that about half of Web
sites using Microsoft IIS have HTR
scripting enabled.
The flaws in both IIS and Apache
relate to the way the Web server
products parse uploaded data and can
cause the software to misinterpret the
size of incoming chunks of data, a
so-called chunked encoding
vulnerability. An attacker could gain
complete control over a vulnerable
system by sending a specially crafted
request to the server. [See "Microsoft
fixes four flaws, one critical,"June 13
and "Experts warn of 'major' hole in
Apache Web server," June 17.]
A worm exploiting the flaw in Apache
running on FreeBSD operating systems is
already
crawling the Internet, but its
spread so far appears to be limited.
However, more effective variants of the
worm that also attack Apache on other
operating systems could soon appear,
experts have warned.
The "increased focus on chunked
encoding vulnerabilities in general" and
the discovery of "hostile code
attempting to exploit similar
vulnerabilities on other platforms" are
the reasons for Microsoft to upgrade its
severity rating, the company said in its
bulletin. Microsoft urges customers to
disable HTR scripting or apply a
software patch.
Apache administrators are acting
swiftly. Well over 6 million sites are
already upgraded to Apache 1.3.26, a
fixed version of the software released
on June 20. Still, about 14 million
potentially vulnerable Apache sites
remain, according to Netcraft.
Apache is the most commonly used Web
server software, running on 64% of Web
sites in June. Microsoft's software is
second, with almost 25% of all Web
sites, according to Netcraft.
Please call our Solutions Department toll free at 1-888-691-9287 to start talking about how we can manage your Internet Security needs.
|
