Apache exploit circulating, users urged to patch

If users have put off patching their Apache Web servers against the vulnerability discovered Monday, they should wait no longer, as an exploit to attack the security hole is now circulating on the Internet, according to Oliver Friedrichs, director of engineering at SecurityFocus Inc.

The exploit -- a tool which makes attacking a vulnerability easier -- was posted to the Bugtraq security e-mail list on Wednesday, Friedrichs said.

The existence of an exploit "makes the possibility of a worm that targets these (systems) more likely," he said.

The vulnerability, announced Monday by Internet Security Systems Inc., and then expanded upon by the Apache Software Foundation, could allow an attacker to take control of an affected Web server. Because of a flaw in the way Apache handles uploads, an attacker could send a specially-formed request to the server and cause it to deny service to legitimate users or take the system over, both groups said.

More than 60 percent of the Web servers on the Internet use Apache, according to data from Web server monitoring firm Netcraft Ltd.

CERT/CC (Computer Emergency Response Team/Coordination Center), a federally-funded computer security body located at Pittsburgh's Carnegie Mellon University, and Internet Security Systems both updated their advisories on the vulnerability after the release of the exploit, urging users to patch their systems.

Despite the presence of an exploit, SecurityFocus "(hasn't) seen increased attack activity" focused at Apache systems, Friedrichs said. SecurityFocus, which is based in San Mateo, California, monitors the networks of over 9,000 companies in over 145 countries for security data and then aggregates it to create a picture of global, regional and industry-specific Internet security.

The dearth of attacks isn't surprising to Friedrichs, as there is usually a one to two week period between vulnerability announcements and attacks, he said.

Though the exploit released Wednesday only attacks Apache installations running on the OpenBSD operating system, "it's not a monumental task ... for someone to modify it (to work with other operating systems)," he said.

Users should patch their systems immediately and check with their vendors for more information, Friedrichs said.

"People ... should be making the patching of their Apache servers a high priority," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?