The Apache Software Foundation has confirmed a severe vulnerability that makes it possible for a single computer to exhaust the memory of an Apache web server, and promised to release a patch within the next two days.

The confirmation comes a few days after the appearance of a DoS tool called "Apache Killer" that was posted Aug. 19 on the "Full Disclosure" security mailing list. With Apache running on 65.2 percent of web servers, the availability of such a tool is very bad news indeed.

It has emerged that the flaw was actually brought up in a 2007 post by senior security researcher Michal Zalewski, who wrote: "It is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits...Whoops?"

Zalewski then proceeded to outline possible attack scenarios in which an attacker will require "a minimal bandwidth expense" that will in turn trigger a server to send gigabytes of data.

So why did such a flaw remain ignored all this time? As reported on Channel Insider, Kevin Shortt, an incident handler at SANS Institute's Internet Storm Center suggested that "it appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.

For more:
- check out this article at Channel Insider
- check out this article at Web Host Industry Review

Related Articles:
Does arresting hackers help?
Know your hackers, from Anonymous to Zeus
Wikileaks attacked by DDOS, booted from U.S.-based domain
Security companies criticize McAfee over Operation Shady RAT