Highly critical vulnerability fixed in Nginx Web server software
Nginx 1.4.1 and 1.5.0 address remote code execution flaw that could lead to compromised servers
IDG News Service - The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers.
Identified as CVE-2013-2028, the vulnerability is a stack-based buffer overflow and was first introduced in the Nginx 1.3.9 development version back in November 2012. The flaw is also present in the 1.4.0 stable version released last month.
The bug, which has been rated as highly critical by vulnerability management firm Secunia, was fixed in the new Nginx 1.4.1 stable version and Nginx 1.5.0 development version. The vulnerability can be exploited by malicious attackers by sending specially crafted HTTP chunks to an exposed Nginx server.
Successful exploitation can lead to arbitrary code execution and system compromise, Secunia said in its advisory.
Nginx is developed with performance and low memory usage in mind and can be used as an HTTP server, as a reverse proxy server and as a load balancer. This makes it appealing to websites that receive a considerable amount of traffic.
Nginx is the third most widely used Web server software on the Internet after Apache and Microsoft IIS with a market share of over 15 percent, according to a recent Web server survey by Internet services firm Netcraft.
The software's growing popularity has, however, also attracted the attention of cybercriminals. On Tuesday, researchers from security vendor ESET reported the discovery of a sophisticated backdoor program designed specifically for Nginx servers. The existence of this malicious program is evidence that cybercriminals are no longer only targeting the most popular software.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts