[ISN] A Month of PHP Bugs

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 00:03:31 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Free White Paper: Address the Insider Threat

Filtering the Spectrum of Internet Threats

Automatically fix links when you move files!

=== CONTENTS ===================================================

IN FOCUS: A Month of PHP Bugs

   - TJX Data Breach Investigation Reveals More Exposure
   - Vista Tips for IT Pros
   - CastleCops Endures DDoS Attack
   - Recent Security Vulnerabilities

   - Security Matters Blog: My Toaster Crashed
   - FAQ: Recovering Disk Access After Renaming Servers
   - From the Forum: "Act as part of the operating system" Permission 
   - Share Your Security Tips

   - Policy Control Software Adds SNMP Event Monitoring
   - Wanted: Your Reviews of Products 




=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat 
   Learn how to develop a comprehensive management system that 
virtually eliminates the risk of an insider threat. Co-authored by 
NetIQ and Dr. Eric Cole, this informative white paper identifies the 
key business processes that must be secured and ready to build a 
solution to contain the insider threat.

=== IN FOCUS: A Month of PHP Bugs =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You might recall that back in December 2006, Stefan Esser resigned from 
the PHP Security Response Team in disgust. At the time, Esser said that 
"any attempt to improve the security of PHP from the inside is 
futile.... The PHP Group will jump into your boat as soon you try to 
blame PHP's security problems on the user but the moment you criticize 
the security of PHP itself you become persona non grata. I stopped 
counting the times I was called immoral traitor for disclosing security 
holes in PHP or for developing Suhosin." 

Suhosin is of course a fantastic patch for the PHP source code that 
makes it far more secure than it is without the patch. If you haven't 
read about Suhosin, you can do so at the URL below.

In response to Esser leaving the PHP Security Response Team, Zeev 
Suraski wrote that he'd "like to take the opportunity, again, and ask 
Stefan to come back to [the] security team, and work with the project 
and not against it. As any project that has hundreds of people 
contributing to it, you never find yourself in agreement with everyone 
at any given time. It doesn't mean that those who don't think exactly 
like you are your 'enemies,' and it certainly doesn't mean you should 
quit and turn to the 'other side.'" It seems to me that if Suraski is 
serious about wanting Esser back, then he could have gone without the 
two less-than-subtle digs at Esser. 

So far, Esser has not returned to the team, and earlier this month, he 
declared that he's going to launch a "Month of PHP Bugs." He's now 
decided that March 2007 will be the month to do that. As is the trend, 
every day for the month of March, Esser will post about at least one 
bug in PHP. You can read more about it at the URL below.

PHP is widely used, and many of you undoubtedly have it in use on your 
systems. You should probably keep an eye on Esser's Web site in March 
to learn of the newly disclosed PHP bugs so that you can take action to 
defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5, 
both released in the second week of February 2007, so be sure you're 
using the latest version. 

You should also seriously consider integrating the Suhosin patch as 
soon as you can--if you can. Unfortunately, no precompiled package of 
PHP that includes Suhosin seems to be available, so you're on your own 
and will need to compile the patch yourself. 

=== SPONSOR: St. Bernard Software ==============================

Filtering the Spectrum of Internet Threats
   Examine the threats of allowing unwanted or offensive content into 
your network and learn about the technologies and methodologies to 
defend against inappropriate content, spyware, IM, and P2P. Download 
this free white paper now!

=== SECURITY NEWS AND FEATURES =================================

TJX Data Breach Investigation Reveals More Exposure
   The TJX Companies reported that its data breach was more severe than 
it had originally detected. 

Vista Tips for IT Pros
   Windows Vista has lots of little changes that will affect IT 
professionals and administrators. Learn more about them in this article 
on our Web site. 

CastleCops Endures DDoS Attack
   CastleCops, an online security community whose charter is to help 
fight malware and phishing scams, fell under Distributed Denial of 
Service (DDoS) attacks beginning February 13.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Linktek ===========================================

Automatically fix links when you move files!
   Patented LinkFixerPlus is the first application that automatically 
fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, 
InDesign, PageMaker, AutoCAD and other files when performing data 
migrations due to: server consolidations, server name changes, path 
name changes or folder reorganizations! Detailed broken link reporting 
   Download the FREE trial version NOW at 

=== GIVE AND TAKE ==============================================

   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4C364:57B62BBB09A692791DE937E2FA56D245

Coding errors create security bugs. It's as simple as that. So don't be 
surprised if someone crashes your toaster someday. Read this blog 
article to learn just how easily some devices can be crashed. 

FAQ: Recovering Disk Access After Renaming Servers
   by John Savill, http://list.windowsitpro.com/t?ctl=4C360:57B62BBB09A692791DE937E2FA56D245 

Q: I've renamed servers using a special script but am now having 
problems accessing disks via the Microsoft Management Console (MMC) 
Disk Management snap-in. What's the problem?

Find the answer at

FROM THE FORUM: "Act as part of the operating system" Permission
   A forum participant has an application that requires the "Act as 
part of the operating system" right to operate correctly on Windows 
2000 systems. However, the same application doesn't require this right 
on Windows XP systems. He wonders why this is the case and what the 
implications are of granting an application this right. Join the 
conversation at the URL below.

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Policy Control Software Adds SNMP Event Monitoring
   Active Reasoning announced the availability of Active Reasoning 
System 5, which lets businesses embed IT policy controls in business 
systems and applications to provide real-time change detection and 
configuration auditing. Active Reasoning automatically maps policy 
frameworks and controls to the users, applications, systems, network 
devices, files, and databases that need to be monitored to enforce the 
policies. New in System 5, SNMP event monitoring lets Active Reasoning 
collect event and change information from network devices in addition 
to applications and servers. For more information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Do you want to block unwanted or undesirable email? Download this free 
white paper to learn how to manage the content of messages traveling 
your network. 

How do you manage security vulnerabilities? If you depend on 
vulnerability assessments to determine the state of your IT security 
systems, you can't miss this Web seminar. Special research from Gartner 
indicates that deeper penetration testing is needed to augment your 
existing vulnerability management processes. Learn more today! 

Windows + UNIX/Linux = You Need TechX World! 
   If you work in an environment that includes Windows plus UNIX/Linux, 
TechX World is the place to go for practical strategies and resources 
to add to your toolkit. This one-day technical training event will 
teach you how to make the most of open-source tools on Windows and how 
to manage and sync multiple directories. Register today! 

=== FEATURED WHITE PAPER =======================================

One common set of controls can help you manage compliance across 
multiple regulations and standards. Download this free IDC white paper 
and find out how to map controls to the appropriate regulations, saving 
time and expense in demonstrating compliance. 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting April nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4C367:57B62BBB09A692791DE937E2FA56D245
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Visit the InfoSec News Security Bookstore!

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:13:01 PST