Apache flaw patched

Just for recount for those that may not have noticed, a flaw in the Apache web server has been patched.

The article is here...

As quoted:

Quote:

The buffer overflow flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29 and 1.3.31, which were configured to act as proxy servers. Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.

An Apache Week advisory said the buffer overflow can be triggered by getting the mod_proxy feature to connect to a remote server and return an invalid content-length.

And...

Quote:

The risk of code execution is high on older OpenBSD/FreeBSD distributions because of the internal implementation of memcpy, which re-reads the length value from the stack. On newer BSD distributions, it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker-controlled location, according to the alert.

My own opinions still remain the same...it's great to see these flaws fixed in a very timely manner because apache, being the #1 web server used worldwide, one would've thought they'd have a lot more vulnerabilities.

On a separate debate, for those that say that because windows is the most used desktop OS, it's going to be hammered with problems, as time has already shown. My question is, with Apache being the most used web server WORLDWIDE, why do they not have anywhere near the exploits, problems, etc that IE/Windows have?

From Netcraft's latest survey (here):

Apache has 35,122,146 servers out there as of July 2004 (67.37%) while IIS has 11,115,660 servers as of July 2004 (21.32%).

Those numbers are simply staggering and it just tells me what a better product can do. This is not meant to be a flame on IIS, but more or less showing those that think that a product being #1 would be the most exploited simply isn't true.