The advisory from Internet Security Systems
(ISS) came out on June 17: the Apache server has a remotely-exploitable
vulnerability in its "chunk handling" code, which is used for handling
uploads of unknown size. The alert describes the problem, notes that the
Apache project has been alerted, and includes a patch.
It all looks like a fairly normal response to security problems in the free
software community, until you look a little more closely. It turns out
that the Apache group was already aware of the problem and was working on a
fix. The Computer Emergency Response Team (CERT) also was already
involved. It also turns out that the ISS patch does not completely fix the
problem. ISS, in its hurry to publicise the vulnerability, had not checked
with either CERT or the Apache Software Foundation.
Full disclosure of security vulnerabilities is (usually) seen as a good
thing in the free software community. Freedom, with regard to software,
includes the freedom to know about (and fix) problems. And, of course, full
disclosure is a powerful tool for forcing a software maintainer to release
a fix - most of the time. As a general rule, nobody is more secure when
the crackers are the only ones to know about security problems.
The other side of full disclosure, however, is that, when done too soon,
it can leave millions
of users open to a vulnerability while no fix is available. Such is the
case this time around. Sites running Apache on Windows are most vulnerable
to the chunk handling vulnerability; such sites are probably running a
binary distribution of Apache, many do not even have a compiler available,
and thus they will be poorly served by a source patch.
Full disclosure is a powerful tool which should be used with care. The
disclosure of a security vulnerability should never be a surprise to those
who must clean up the mess. Those who find security problems should
always work with the package maintainer and give that maintainer
time to make a fix available. Only in cases of serious stalling or neglect
should a disclosure go out before the maintainer is ready.
This is a lesson that the free software community will probably have to
relearn every so often. Free software has the potential to be far more
secure; its open nature lets any interested party inspect the code for
problems. But much of that advantage is lost when vulnerabilities are
handled in an immature manner. If you or your company find a security
vulnerability, surely you can wait a few days to claim your credit.
This vulnerability raises another concern as well. Much has been said
about the dominance of Windows systems on the net; the resulting
"monoculture" is highly vulnerable to security problems. Apache's
share of the total web server population is such that it could be
considered a monoculture as well. Apache has obtained that share through
consistent high quality and a strong security record. No package is
completely invulnerable, however, and Apache problems, when they do turn
up, place much of the net at risk. For the security of the net as a whole,
it would be nice if there were another free web server with something
resembling Apache's stature and market share.
For details on the chunk handling vulnerability, see the LWN vulnerability entry, the advisory from the Apache Software
Foundation or the CERT advisory. Initial
indications were that this problem was not remotely exploitable on Linux
systems, but that claim is now known to be false. If you are running an
Apache server, you want to upgrade as soon as possible.
to post comments)