Security firms are advising network administrators to install security patches for SSL servers, including a recent update for mod_ssl, which is widely used in Apache servers running OpenSSL. A security update was released July 16 to fix the vulnerability, which may allow a remote attacker to execute arbitrary code when Apache is configured to use mod_ssl and mod_proxy, according to an advisory from Gentoo Linux.
Several recent samples of malicious code submitted to the SANS Institute were adapted from code published in April that targeted the Microsoft SSL vulnerability. The group that published the exploit, The Hackers Choice, says the code has been downloaded at least 24,000 times.
While SSL servers would be expected to be closely maintained, a Netcraft sampling from last year showed that known SSL security holes remained unpatched for months after fixes were available.