Web more vulnerable now than ever

The recent publication of similar security vulnerabilities in the two most-used Web server software products makes the Web more vulnerable now than ever, Web server information company Netcraft Ltd. warned.

With more than half of the Internet’s Web servers potentially vulnerable, conditions are “ripe for an epidemic of attacks” against sites running Microsoft Corp. Internet Information Server (IIS) or the open-source Apache Web server software, Netcraft of Bath, England, said in its monthly Web Server survey released Monday.

Microsoft increased the severity rating of a flaw in IIS versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000 to “critical” in response to what it called “a significant change in the threat environment” in a revised security bulletin also issued on Monday by the Redmond, Washington, software giant.

The flaw in IIS lies in software that supports HTR scripting, an older, according to Microsoft “largely obsolete” scripting language. However, Netcraft found that about half of Web sites using Microsoft IIS have HTR scripting enabled.

The flaws in both IIS and Apache relate to the way the Web server products parse uploaded data and can cause the software to misinterpret the size of incoming chunks of data, a so-called chunked encoding vulnerability. An attacker could gain complete control over a vulnerable system by sending a specially crafted request to the server.

A worm exploiting the flaw in Apache running on FreeBSD operating systems is already crawling the Internet, but its spread so far appears to be limited. However, more effective variants of the worm that also attack Apache on other operating systems could soon appear, experts have warned.

The “increased focus on chunked encoding vulnerabilities in general” and the discovery of “hostile code attempting to exploit similar vulnerabilities on other platforms” are the reasons for Microsoft to upgrade its severity rating, the company said in its bulletin. Microsoft urges customers to disable HTR scripting or apply a software patch.

Apache administrators are acting swiftly. Well over 6 million sites are already upgraded to Apache 1.3.26, a fixed version of the software released on June 20. Still, about 14 million potentially vulnerable Apache sites remain, according to Netcraft.

Apache is the most commonly used Web server software, running on 64 per cent of Web sites in June. Microsoft’s software is second, with almost 25 per cent of all Web sites, according to Netcraft.