'Kill tool' released for unpatched Apache server vulnerability
Summary: The open-source Apache Software Foundation warns that active use of a 'killapache' attack tool targeting an unpatched vulnerability has been observed.
The open-source Apache Foundation has warned that attack tool has been released for a serious vulnerability in the Apache HTTPD Web Server.
The 'killapache' attack tool is currently circulating in the wild. "Active use of this tools has been observed, Apache warned.
"The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server," according to an advisory that documents a denial-of-service flaw in the default Apache HTTPD installation.
The group described the issue as a range header DoS vulnerability and offered several pre-patch mitigations to limit the damage from a malicious denial-of-server attack.
"Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the mitigations," Apache said.
A patch or new apache release for Apache 2.0 and 2.2 is expected later this week.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: 'Kill tool' released for unpatched Apache server vulnerability
Links please
RE: 'Kill tool' released for unpatched Apache server vulnerability
Fbs
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
a lesser problem? tell to a Hoster :)
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
Ahh. Wonderful recovery. Not.
Even if I totally agree that one of the things that pro open source community members have said is that the open source community typically releases fixes faster then proprietary software vendors it most certainly doesn't negate the fact that at the very least "some" in the pro open source community have said a lot more then that.
Its definitely one of those situations where "some" have made statements very clearly, that while falling somewhat short of claiming Superman like invulnerability to attacks, they have certainly made claims that are clearly designed to make one believe that these kinds of attacks are "practically" or "virtually" impossible. They make it sound like the potential for such vulnerabilities to cause any concern are so far removed from reality there is "virtually" nothing to fear from the possibility of such an attack.
As always, I can really only say one thing about such claims. If anyone ever thinks that if the whole world went open source/Linux tomorrow, that thee hacker community would quickly be drummed out of business simply because such operating systems are so difficult to do any damage to...they are out of their minds. You can count on as a fact that what the hacker community would do is in fact anything and everything it could possibly take to step up their efforts by any means possible and necessary to make hacking a Linux box as close to as profitable as any other operating system.
Count on it. Its not a fairy tale, its the same determination that invented the computer and put a man on the moon. One thing you can say about humans, there is always a large enough number of them in every walk of life that will never give up and eventually come up with the solution to the problem at hand. And when that begets a new problem, there will always be plenty who will begin anew right away on that one.
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
Afterall, unplugging your net cable is another 'mitigation' of sorts.
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
RE: 'Kill tool' released for unpatched Apache server vulnerability
And thats real nice.
But the one singular thing the open source community has absolutely got to keep in their mind if they want to keep it real when discussing the pro's and con's of lets say Windows vs. Linux for example, nobody outside of the open source community cares that much. At all.
And thats simply because whatever inherent superior security measures, Linux for example, has embedded into its code that makes hacking more difficult, the majority of the world who does use Windows has not experienced anything close to the problems the "Anything but Microsoft" crowd so often likes to claim exist.
Does Windows have some inherent risks? Yes, we all know it does. I for one will always agree that the sheer number of relentless attacks designed for Windows is alone enough for concern. But Windows users have for a very long time now been fully prepared to accept those risks because they exist the way they do often because Windows has been designed for an incredible breadth of backward and forward capabilities for both software and hardware as well as many ease of use features that dictate that the OS is very very very complex and sizable and certainly that always has the potential to create more leaks in a larger more complex and versatile ship, so to speak.
The end result has been for the vast majority of the population the problems actually coming out of these potential risks have been mercifully few and the payoff of having such an easy to use diverse operating system has been great.
So, this quick patching by the community is nice. But keep in mind, its not going to ever be an argument that has any sway in what kind of OS someone should choose unless security is so paramount that most other features can be ignored in favor of even marginal security improvements.
Like maybe if your a super spy for the C.I.A. or something. And you can trust me, if a spy from the C.I.A. ever asks me what OS should he use for absolute maximum security I will recommend he takes a good look at something in the open source/Linux vein.
RE: 'Kill tool' released for unpatched Apache server vulnerability
Nicely put.
RE: 'Kill tool' released for unpatched Apache server vulnerability
Why not
RE: 'Kill tool' released for unpatched Apache server vulnerability