Re: Remote Compromise Vulnerability in Apache HTTP Server

["David Litchfield" <david () ngssoftware com>]

Like ISS obviously did, one of the first things NGSSoftware did after the
eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what
else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted
that the Win32 distribution of Apache was vulnerable.

However, our approach to addressing this problem was/is completely
different. We alerted Oracle, Apahce and CERT.

Our last response from Mark Fox of Apache was that they "have decided that
we need to co-ordinate this issue with CERT so that we can get other vendors
who ship Apache in their OS and projects aheads-up to this issue."
NGSSoftware, of course agreed that this would be the best plan of action as
most people who use the Win32 Apache version do not have a compiler and so
can take steps to protect themselves. They're mostly relying on their apache
'supplier' to produce a patch.

Of course, with a premature release from ISS many are now left vulnerable
without a patch from the apache 'supplier'.

This, now, leads to the next issue. There have been many instances where two
or more security organizations discover the same vulnerability at the same
time but differ in the manner and time at which they choose to alert the
general public, leading to all sorts of problems.

With more people and organisations doing security research, perhaps it is
time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third
party like an off-shoot of CERT. I know this is not a new idea and one which
has been brought up before but one I think should perhaps be discussed again
and acted upon.

When a vendor is alerted the VCC is CC'd (pun not intentional) and this way
a co-ordinated full alert can go out when the time is right.

Any takers???

Cheers,
David Litchfield
Next Generation Security Software Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070