Security flaw in Web software exposes holes in government-backed alert system

Tuesday, June 18th 2002, 12:00 am
By: News On 6

WASHINGTON (AP) _ A security bug was found in software used by millions of Web sites. Private experts alerted users and the FBI's computer security division.

Problem is, they didn't tell the maker of the software. Then they issued the wrong prescription for fixing the problem.

The incident Monday involving Apache's Web software shows that the system to insulate the Internet from attack _ a joint effort of the government and private companies _ is still a long way from perfect.

``It would be good if people would agree on some standards,'' said Chris Wysopal of Boston security firm AtStake. ``People can't be put at risk like this again and again.''

Internet Security Systems of Atlanta published a warning early Monday about vulnerabilities in Apache on some computer operating systems. Apache is used on about 60 percent of Web servers, the computers that deliver Web pages to the Internet. Many companies, including IBM and Oracle, create products that rely in part on Apache.

Now ISS is under fire for breaking informal industry agreements by rushing out the warning _ and a partial fix _ before coordinating with Apache developers.

The issue reveals infighting and hasty decisions that have become common in the computer security industry. Experts say the effect is to confuse users and possibly cause even more security problems.

Several third-party groups are designed to coordinate computer security information. But there may be too many _ ISS and the Apache developers chose different ones, and never coordinated with each other.

ISS researcher Chris Rouland said the company talked to the National Infrastructure Protection Center, part of the FBI. Apache developer Mark Cox said his group spoke with researchers at the CERT Coordination Center, based at Carnegie Mellon University in Pittsburgh and partially funded by the Defense Department.

Spokesman Bill Pollak said CERT does share information with NIPC, but would give no specific details on the Apache hole. A spokeswoman for NIPC had no comment.

The Bush administration has called for the consolidation of government computer security groups under the proposed Homeland Security Department, and Bush advisers have admonished the technology community to share more information with government to protect consumers.

Rouland said ISS was rushing to beat hackers to the punch.

``We didn't set out to burn Apache,'' Rouland said. ``We want to make sure we notify our customers appropriately.''

Rouland said he didn't notify the developers of Apache because they aren't a formal company. Apache is open-source, meaning that the software and its blueprints are free and managed by programmers who coordinate its evolution.

Complicating the matter, Rouland said he didn't trust Cox, who along with his Apache duties is the senior director of engineering at Red Hat Software, which distributes the Linux operating system. Rouland accused Red Hat of taking credit for earlier ISS research.

Cox said he already knew about the hole from a different researcher, and that the ISS fix doesn't repair the entire problem.

``If ISS had told us before going public, we could have told them their patch was insufficient,'' Cox said. ``The fact that they didn't has caused some problems.''