This, now, leads to the next issue. There have been many instances where two or more security organizations discover the same vulnerability at the same time but differ in the manner and time at which they choose to alert the general public, leading to all sorts of problems.
With more people and organisations doing security research, perhaps it is time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third party like an off-shoot of CERT. I know this is not a new idea and one which has been brought up before but one I think should perhaps be discussed again and acted upon.
When a vendor is alerted the VCC is CC'd (pun not intentional) and this way a co-ordinated full alert can go out when the time is right.
Marc Maiffret - marc(a)eeye.com on BugTraq
You bring up a good point David. Barely anyone in the Windows world is going to sit and recompile their Apache versions especially with software like Oracle that also uses Apache. ISS has left all these people in a _very_ bad position.
It is worse than that though. According to Apache the ISS source code patch does not even work.
Since there has actually been many chunked encoding vulnerabilities released lately, and exploits (for win32) it only makes sense that it will take no time for someone to develop an exploit for this Apache Win32 chunked overflow, and then start using that to break into systems and what not.
Just read the Apache.org advisory: "While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability. We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory."
Sounds like ISS rushed the release of this to beat you to it Litchfield. That is rather poor on their part.
If someone has an Apache module that strips chunked encoding that _should_ at least give people a work around for this vulnerability for now. Not sure if the module will process before Apache processes chunked encoding itself but if it does it should work. We are currently looking into it.
Robert G. Ferrell - rferrell(a)texas.net on ISN list
Mark Litchfield discovered a vulnerability in Apache, and followed proper channels by contacting the software maintainer and working with them to develop a fix before going public with potentially exploitable details.
ISS bypasses accepted channels completely and posts information about the vulnerability to a public list, providing at the same time a patch that doesn't seem to fix the vulnerability as stated, along with installation instructions that, while accurate, are not going to be of much use to most Win32 admins.
Apache is now in the position of having to scramble to release a patch before people start exploiting a vulnerability that would not have been widely known if ISS had shown a bit more restraint.
On possible interpretation of the sequence of events (not the only one, but the one that strikes me as most likely) is that ISS wanted to go on record as having reported the vulnerability in Apache (and these are relatively rare) first, come hell or high water. I understand that being first out of the chute can give you a public relations edge in the tough, competitive world of information security products and services, but it looks to me as though going this route is paramount to shooting yourself in both feet with the same bullet. Being first to post a non-existent vulnerability and then providing a patch that wouldn't fix it anyway ain't no way to go through life.