Web ripe for massive worm attack

The Web is currently more vulnerable to attack than ever before, as a result of several serious security flaws for different server applications being published within a few days of one another, according to a survey from British network security firm Netcraft.

Microsoft published a trio of security advisories on 12 June related to its Internet Information Server (IIS), and this was followed on 17 June by the publication of a bug in the Apache Web server application that leaves the software open to a buffer overflow attack. Together, Apache and IIS make up nearly 90 percent of active Web servers, according to Netcraft, although it has not yet been conclusively proven that the Apache flaw affects versions running on the Linux and Solaris operating systems.

One of the IIS flaws affects servers with activated HTR scripting -- an obsolete technology that has been replaced by Active Server Pages. Netcraft noted that around half of the IIS sites on the Internet have HTR scripting enabled, meaning they are probably vulnerable to the attack.

"This is more like an isolated event than a trend," said Netcraft director Mike Prettejohn. "This is the first time I can think of that there has been a remotely exploitable Apache vulnerability, and it happened to come within 10 days of this particular Microsoft vulnerability. It has all combined to make the Web pregnant for exploitation."

He said that if a worm appeared that made use of the HTR scripting flaw, he would expect it to be "very successful".

The situation is made worse by a worm discovered over the weekend that makes use of the Apache flaw, a vulnerability in the mechanism for handling "Chunked Encoding". The worm is thought to be capable of spreading only to Web servers running the FreeBSD operating system -- an open-source variant of Unix -- and which have not had a patch applied for the recent flaw. Although few people have reported the worm, it is thought to be infecting vulnerable Web servers worldwide.

Hacking experts have come up with exploits for this flaw on the Windows, FreeBSD and OpenBSD operating systems.

Netcraft said that the rate at which Apache servers are being patched is encouraging, with about one-third of Apache's installed base -- or about six million -- having been patched within a week of the flaw's discovery. However, this still leaves 14 million vulnerable sites, according to Netcraft.

Prettejohn also noted that patching rates may be higher than they appear; an Apache patch from Linux vendor Red Hat is more difficult to detect, as it does not change the version number of the Apache server.

While the spread of destructive worms gets a great deal of public notice, Prettejohn said that worms actually serve a valuable function in making the Web more secure. "Worms are disruptive, but they do tend to flush out any covert activity that may be going on," he said.

Attackers often quietly compromise a server in order to install back doors that give them ongoing access to sensitive information, Prettejohn said, but when the server is patched, such back doors are removed.

Last year, before the Code Red worm attack, a Netcraft security test found that one in six e-commerce sites running IIS had already had a back door installed. Patches installed to counter Code Red eliminated most of these back doors, Netcraft found.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.