Over the last couple of years, as security vulnerability reports have piled up on products from such big vendors as Microsoft Corp., Oracle Corp. and Cisco Systems Inc., open-source advocates have snickered. If only those vendors would release their source code and let the open-source community at it, all their problems would go away, they said. And when the Code Red and Nimda worms chewed their way through hundreds of thousands of unpatched Microsoft Internet Information Services servers last year, Apache users sat back and smiled, believing nothing like that could happen to them.

Then it did.

In late July, researchers found several flaws in the OpenSSL tool kit, which is commonly used for secure transmissions on Apache servers. About six weeks later, someone released a worm called Slapper that exploited the vulnerability and not only installed a back door on each infected server but also turned machines using OpenSSL into a waiting army of zombies by dropping in a DDoS (distributed-denial-of-service) tool kit as well.

More at eWeek