CBSN

Security Flaw In Web Software

Iraqi Police Brigade Commander, General Kareem, greets U.S. Lt. Col. Anthony Cornett in Baghdad, Feb. 8th, 2007, before touring a base to settle a quarrel over which National Police Battalions will live in which quarters. Space is at a premium now that Iraqi police and American troops will be sharing bases.
CBS/Cami McCormick
The handling of a security bug affecting Web page software is exposing cracks in a government-industry effort to protect the Internet from hackers.

The latest problem occurred Monday when a serious flaw in the most popular software to display Web sites caused conflicting and confusing messages between a security company and the software authors.

Some security experts want to see a more regimented approach.

"It would be good if people would agree on some standards," said Chris Wysopal of Boston security firm AtStake. "People can't be put at risk like this again and again."

Internet Security Systems of Atlanta published a warning early Monday about vulnerabilities in the Apache Web server software on some computer operating systems. Apache is used on about 60 percent of Web servers, the large computers that deliver Web pages on the Internet.

The hole is especially dangerous because many companies, like IBM and Oracle, create products that rely in part on Apache.

Now ISS is under fire from the Apache developers and other security researchers for breaking informal industry agreements by rushing out the warning - and a partial fix - before coordinating with the developers.

Wysopal said researchers should always contact the software vendor first - particularly because a researcher may release a fix that causes more problems than it solves."

"Is the goal here to get credit for something," Wysopal said. "I thought the goal here was to help people who have security vulnerabilities."

There are several third-party groups that are designed to coordinate computer security information. But there may be too many -- ISS and the Apache developers chose different ones, and still never coordinated.

Cox said his group spoke with researchers at the CERT Coordination Center, based at Carnegie Mellon University in Pittsburgh and partially funded by the Defense Department. Rouland said ISS talked to the National Infrastructure Protection Center, part of the FBI.

Spokesman Bill Pollak said CERT does share information with NIPC, but had no specific details on the Apache hole. A spokeswoman for NIPC did not immediately return a call seeking comment.

Chris Rouland, ISS's top researcher, said the company thought hackers would learn about the hole soon.

"It's a tough ethical decision for us to make," Rouland said. "We didn't set out to burn Apache. We want to make sure we notify our customers appropriately."

Rouland said he didn't notify the developers of Apache because they aren't a formal company. Apache is open-source, meaning that the software and its blueprints are free and managed by programmers who coordinate its evolution.

For his part, Cox said he already knew about the hole from a different researcher, and that the ISS fix doesn't repair the entire problem.

"If ISS had told us before going public, we could have told them their patch was insufficient," Cox said. "The fact that they didn't has caused some problems."

More details on the problem, as well as a patch approved by the Apache developers, are available from the CERT Web site.

Until there is a clear process in place to release information about security problems, said several experts, users are likely to stay confused.

By D. Ian Hopper