Virus activity may have declined so far this year, but a new study has found that Internet servers are being left worryingly vulnerable to a series of newly discovered bugs.
According to a survey by UK research firm Netcraft, published earlier this week, system administrators have been upgrading their Web servers to fix new vulnerabilities, but have been slower about servers used for e-commerce and encryption.
The survey found that almost half of the 22 million monitored sites using Apache software for serving Web pages had been upgraded to version 1.3.26, which fixes a recently publicised vulnerability. But only one quarter of Apache sites using Secure Socket Layer (SSL), which creates the encrypted communications channel typically used for e-commerce, have been updated to this version.
The situation should cause concern, Netcraft said, in light of the discovery of several vulnerabilities in OpenSSL, which can allow an attacker to execute code on a server. "Most sites using Apache for encrypted transactions and e-commerce will be vulnerable to the attack," said Netcraft director Mike Prettejohn in a statement.
Last month, a series of bugs in Microsoft Internet Information Server, Microsoft Commerce Server and Apache led Prettejohn to remark that the Web was more open to attack than ever before. While he called the situation more an incident than a trend, sluggishness to patch the affected servers along with new bugs has kept the window of danger open, Prettejohn said.
Among the most recent security alerts is an easily exploitable flaw in some versions of Apache that could allow attackers to discover where scripts are located on the server, and to execute code on the server.
1%
4%
