Latest news
David Litchfield - david(a)ngssoftware.com on Bugtraq
Like ISS obviously did, one of the first things NGSSoftware did after the eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted that the Win32 distribution of Apache was vulnerable.
However, our approach to addressing this problem was/is completely different. We alerted Oracle, Apahce and CERT.
Our last response from Mark Fox of Apache was that they "have decided that we need to co-ordinate this issue with CERT so that we can get other vendors who ship Apache in their OS and projects aheads-up to this issue." NGSSoftware, of course agreed that this would be the best plan of action as most people who use the Win32 Apache version do not have a compiler and so can take steps to protect themselves. They're mostly relying on their apache 'supplier' to produce a patch.
Of course, with a premature release from ISS many are now left vulnerable without a patch from the apache 'supplier'.
This, now, leads to the next issue. There have been many instances where two or more security organizations discover the same vulnerability at the same time but differ in the manner and time at which they choose to alert the general public, leading to all sorts of problems.
When a vendor is alerted the VCC is CC'd (pun not intentional) and this way a co-ordinated full alert can go out when the time is right.
Marc Maiffret - marc(a)eeye.com on BugTraq
You bring up a good point David. Barely anyone in the Windows world is going to sit and recompile their Apache versions especially with software like Oracle that also uses Apache. ISS has left all these people in a _very_ bad position.
It is worse than that though. According to Apache the ISS source code patch does not even work.
Since there has actually been many chunked encoding vulnerabilities released lately, and exploits (for win32) it only makes sense that it will take no time for someone to develop an exploit for this Apache Win32 chunked overflow, and then start using that to break into systems and what not.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
