New Apache flaw adds to Internet woes

A recently discovered Apache security hole, along with flaws in Microsoft servers, are putting the Web's security at risk

Web servers and corporate PCs are at risk from vulnerabilities in the popular Apache server software and in a component of Microsoft's Windows 2000. The Apache flaw could allow an attacker to discover sensitive information or execute malicious code, while the Windows bug makes it possible for users to gain privileges high enough to alter files and user accounts.

The Apache flaw affects versions 2.0.39 and earlier, but only affects non-Unix platforms such as Windows, OS2 and Netware. The software can be made to reveal the absolute path to a script whenever the server attempts, and fails, to execute the script. Such path information would give valuable information to a potential attacker. An attacker could also use the flaw to execute programs on the server.

An advisory issued on Monday from the US' Computer Incident Advisory Capability, a service of the US Department of Energy, has warned that although Apache is not usually run on non-Unix platforms, the exploit is likely to be carried out because it is "easy and remote".

Users can apply a simple workaround or a patch to fix the problem. Both are included in Apache's warning, available on its Web site.

The new Apache flaw comes shortly after researchers publicised several security holes in OpenSSL, a security protocol, which could open the door to attacks on Apache servers. These flaws, along with other recent vulnerabilities in Apache and Microsoft servers, led one Internet researcher to comment on Tuesday that "a great many e-commerce sites are presently vulnerable to direct attack over the Internet."

The Windows 2000 flaw affects a component called Network Connection Manager (NCM), which controls many network connections. Microsoft warned that a malicious user could, through a complex process, cause the NCM to execute the attacker's code with full system privileges.

The attack would require the user to already have low-privilege, interactive access to the system, but many companies offer this type of access to users through workstations or a Terminal Services server. The risk for Internet servers is, however, low.

Microsoft has released a patch to fix the problem on its Web site.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.