Open source software project Apache web servers patched this week to cancel a bug tool denial-of-service has been exploited. Apache 2. 2. 20, released Tuesday, the spark plug holes that are used by the "Killer Apache" attack tools that hackers have been using for more than a week to a web server flaw. On 24 August, the project developer has promised to improve within 48 hours, then two days later revised schedule for 24 hours.
Security adviser did not explain the delay. Previously, the project offered a web server administrators a way to protect their systems until patches are available. "We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade," said adviser Tuesday. Although DoS vulnerability also exists in the older Apache 1. 3, the project no longer supports this issue.
According to the update to the original advisory that Apache was published last week, improving to reduce the amount of memory used by the HTTP request,d "to remove or simplify the request is considered too heavy. " Although the update patches a bug that was exploited Killer Apache, Apache recognizes that part of the problem lies with the HTTP protocol itself. As history records the problem, Apache says "a problem for web servers and is currently the subject of discussion IETF to change the protocol. " "Team Apache should be applauded for testing and release a critical security fix so quickly," said Chet Wisniewski, a security researcher with Sophos. Others, however, have pointed out that because Apple bundles with Mac OS X Apache and maintain the software through the operating system updates, users running Mac-based server will have to wait for Apple to provide a fix.
"It will be interesting to see how Apple rates the bug and how fast they patch," said Andrew Storms, director of security operations at nCircle. According to statistics kept by Netcraft, Apache powers 65. 2% of all web servers that are being used. . .