Just read the Apache.org advisory: "While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability. We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory."

Sounds like ISS rushed the release of this to beat you to it Litchfield. That is rather poor on their part.

If someone has an Apache module that strips chunked encoding that _should_ at least give people a work around for this vulnerability for now. Not sure if the module will process before Apache processes chunked encoding itself but if it does it should work. We are currently looking into it.



Robert G. Ferrell - rferrell(a)texas.net on ISN list

Mark Litchfield discovered a vulnerability in Apache, and followed proper channels by contacting the software maintainer and working with them to develop a fix before going public with potentially exploitable details.

ISS bypasses accepted channels completely and posts information about the vulnerability to a public list, providing at the same time a patch that doesn't seem to fix the vulnerability as stated, along with installation instructions that, while accurate, are not going to be of much use to most Win32 admins.

Apache is now in the position of having to scramble to release a patch before people start exploiting a vulnerability that would not have been widely known if ISS had shown a bit more restraint.


On possible interpretation of the sequence of events (not the only one, but the one that strikes me as most likely) is that ISS wanted to go on record as having reported the vulnerability in Apache (and these are relatively rare) first, come hell or high water. I understand that being first out of the chute can give you a public relations edge in the tough, competitive world of information security products and services, but it looks to me as though going this route is paramount to shooting yourself in both feet with the same bullet. Being first to post a non-existent vulnerability and then providing a patch that wouldn't fix it anyway ain't no way to go through life.



Robert Lemos - rob.lemos(a)cnet.com article on CNET

Chris Rouland, director of ISS's research and development team, known as X-Force, maintains that the company did the right thing when it released an advisory on the issue and included a patch as well. "We are competing with the 10 million hackers out there, who are trying to break in to Web servers," he said. "The hackers were the real ones that were ticked off that we released the advisory. That's one less exploit that they could use."

Read this article on CNET (http://www.cnet.com/investor/news/newsitem/0-9900-1028-20051547-0.html).


3) Solutions and patches

ISS X-Force has developed a patch for "Remote Compromise Vulnerability in Apache HTTP Serve" issue. The patch is available from the ISS advisory located on the top of this paper.