AOH :: ISNQ3701.HTM
A Month of PHP Bugs
|
A Month of PHP Bugs
A Month of PHP Bugs
Forwarded with permission from: Security UPDATE
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Free White Paper: Address the Insider Threat
http://list.windowsitpro.com/t?ctl=4C366:57B62BBB09A692791DE937E2FA56D245
Filtering the Spectrum of Internet Threats
http://list.windowsitpro.com/t?ctl=4C34E:57B62BBB09A692791DE937E2FA56D245
Automatically fix links when you move files!
http://list.windowsitpro.com/t?ctl=4C362:57B62BBB09A692791DE937E2FA56D245
=== CONTENTS ==================================================
IN FOCUS: A Month of PHP Bugs
NEWS AND FEATURES
- TJX Data Breach Investigation Reveals More Exposure
- Vista Tips for IT Pros
- CastleCops Endures DDoS Attack
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: My Toaster Crashed
- FAQ: Recovering Disk Access After Renaming Servers
- From the Forum: "Act as part of the operating system" Permission
- Share Your Security Tips
PRODUCTS
- Policy Control Software Adds SNMP Event Monitoring
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: NetIQ ============================================
Free White Paper: Address the Insider Threat
Learn how to develop a comprehensive management system that
virtually eliminates the risk of an insider threat. Co-authored by
NetIQ and Dr. Eric Cole, this informative white paper identifies the
key business processes that must be secured and ready to build a
solution to contain the insider threat.
http://list.windowsitpro.com/t?ctl=4C366:57B62BBB09A692791DE937E2FA56D245
=== IN FOCUS: A Month of PHP Bugs ============ by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
You might recall that back in December 2006, Stefan Esser resigned from
the PHP Security Response Team in disgust. At the time, Esser said that
"any attempt to improve the security of PHP from the inside is
futile.... The PHP Group will jump into your boat as soon you try to
blame PHP's security problems on the user but the moment you criticize
the security of PHP itself you become persona non grata. I stopped
counting the times I was called immoral traitor for disclosing security
holes in PHP or for developing Suhosin."
Suhosin is of course a fantastic patch for the PHP source code that
makes it far more secure than it is without the patch. If you haven't
read about Suhosin, you can do so at the URL below.
http://list.windowsitpro.com/t?ctl=4C355:57B62BBB09A692791DE937E2FA56D245
In response to Esser leaving the PHP Security Response Team, Zeev
Suraski wrote that he'd "like to take the opportunity, again, and ask
Stefan to come back to [the] security team, and work with the project
and not against it. As any project that has hundreds of people
contributing to it, you never find yourself in agreement with everyone
at any given time. It doesn't mean that those who don't think exactly
like you are your 'enemies,' and it certainly doesn't mean you should
quit and turn to the 'other side.'" It seems to me that if Suraski is
serious about wanting Esser back, then he could have gone without the
two less-than-subtle digs at Esser.
http://list.windowsitpro.com/t?ctl=4C353:57B62BBB09A692791DE937E2FA56D245
So far, Esser has not returned to the team, and earlier this month, he
declared that he's going to launch a "Month of PHP Bugs." He's now
decided that March 2007 will be the month to do that. As is the trend,
every day for the month of March, Esser will post about at least one
bug in PHP. You can read more about it at the URL below.
http://list.windowsitpro.com/t?ctl=4C351:57B62BBB09A692791DE937E2FA56D245
PHP is widely used, and many of you undoubtedly have it in use on your
systems. You should probably keep an eye on Esser's Web site in March
to learn of the newly disclosed PHP bugs so that you can take action to
defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5,
both released in the second week of February 2007, so be sure you're
using the latest version.
You should also seriously consider integrating the Suhosin patch as
soon as you can--if you can. Unfortunately, no precompiled package of
PHP that includes Suhosin seems to be available, so you're on your own
and will need to compile the patch yourself.
http://list.windowsitpro.com/t?ctl=4C36A:57B62BBB09A692791DE937E2FA56D245
http://list.windowsitpro.com/t?ctl=4C361:57B62BBB09A692791DE937E2FA56D245
=== SPONSOR: St. Bernard Software =============================
Filtering the Spectrum of Internet Threats
Examine the threats of allowing unwanted or offensive content into
your network and learn about the technologies and methodologies to
defend against inappropriate content, spyware, IM, and P2P. Download
this free white paper now!
http://list.windowsitpro.com/t?ctl=4C34E:57B62BBB09A692791DE937E2FA56D245
=== SECURITY NEWS AND FEATURES ================================
TJX Data Breach Investigation Reveals More Exposure
The TJX Companies reported that its data breach was more severe than
it had originally detected.
http://list.windowsitpro.com/t?ctl=4C35C:57B62BBB09A692791DE937E2FA56D245
Vista Tips for IT Pros
Windows Vista has lots of little changes that will affect IT
professionals and administrators. Learn more about them in this article
on our Web site.
http://list.windowsitpro.com/t?ctl=4C359:57B62BBB09A692791DE937E2FA56D245
CastleCops Endures DDoS Attack
CastleCops, an online security community whose charter is to help
fight malware and phishing scams, fell under Distributed Denial of
Service (DDoS) attacks beginning February 13.
http://list.windowsitpro.com/t?ctl=4C35B:57B62BBB09A692791DE937E2FA56D245
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=4C354:57B62BBB09A692791DE937E2FA56D245
=== SPONSOR: Linktek ==========================================
Automatically fix links when you move files!
Patented LinkFixerPlus is the first application that automatically
fixes broken links in Excel, Word, Access, PowerPoint, Acrobat,
InDesign, PageMaker, AutoCAD and other files when performing data
migrations due to: server consolidations, server name changes, path
name changes or folder reorganizations! Detailed broken link reporting
too!
Download the FREE trial version NOW at
http://list.windowsitpro.com/t?ctl=4C362:57B62BBB09A692791DE937E2FA56D245
=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: My Toaster Crashed
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4C364:57B62BBB09A692791DE937E2FA56D245
Coding errors create security bugs. It's as simple as that. So don't be
surprised if someone crashes your toaster someday. Read this blog
article to learn just how easily some devices can be crashed.
http://list.windowsitpro.com/t?ctl=4C35D:57B62BBB09A692791DE937E2FA56D245
FAQ: Recovering Disk Access After Renaming Servers
by John Savill, http://list.windowsitpro.com/t?ctl=4C360:57B62BBB09A692791DE937E2FA56D245
Q: I've renamed servers using a special script but am now having
problems accessing disks via the Microsoft Management Console (MMC)
Disk Management snap-in. What's the problem?
Find the answer at
http://list.windowsitpro.com/t?ctl=4C35A:57B62BBB09A692791DE937E2FA56D245
FROM THE FORUM: "Act as part of the operating system" Permission
A forum participant has an application that requires the "Act as
part of the operating system" right to operate correctly on Windows
2000 systems. However, the same application doesn't require this right
on Windows XP systems. He wonders why this is the case and what the
implications are of granting an application this right. Join the
conversation at the URL below.
http://list.windowsitpro.com/t?ctl=4C34D:57B62BBB09A692791DE937E2FA56D245
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ================================================== by Renee Munshi, products@windowsitpro.com
Policy Control Software Adds SNMP Event Monitoring
Active Reasoning announced the availability of Active Reasoning
System 5, which lets businesses embed IT policy controls in business
systems and applications to provide real-time change detection and
configuration auditing. Active Reasoning automatically maps policy
frameworks and controls to the users, applications, systems, network
devices, files, and databases that need to be monitored to enforce the
policies. New in System 5, SNMP event monitoring lets Active Reasoning
collect event and change information from network devices in addition
to applications and servers. For more information, go to
http://list.windowsitpro.com/t?ctl=4C368:57B62BBB09A692791DE937E2FA56D245
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@windowsitpro.com and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS ====================================== For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=4C35F:57B62BBB09A692791DE937E2FA56D245
Do you want to block unwanted or undesirable email? Download this free
white paper to learn how to manage the content of messages traveling
your network.
http://list.windowsitpro.com/t?ctl=4C352:57B62BBB09A692791DE937E2FA56D245
How do you manage security vulnerabilities? If you depend on
vulnerability assessments to determine the state of your IT security
systems, you can't miss this Web seminar. Special research from Gartner
indicates that deeper penetration testing is needed to augment your
existing vulnerability management processes. Learn more today!
http://list.windowsitpro.com/t?ctl=4C34F:57B62BBB09A692791DE937E2FA56D245
Windows + UNIX/Linux = You Need TechX World!
If you work in an environment that includes Windows plus UNIX/Linux,
TechX World is the place to go for practical strategies and resources
to add to your toolkit. This one-day technical training event will
teach you how to make the most of open-source tools on Windows and how
to manage and sync multiple directories. Register today!
http://list.windowsitpro.com/t?ctl=4C35E:57B62BBB09A692791DE937E2FA56D245
=== FEATURED WHITE PAPER ======================================
One common set of controls can help you manage compliance across
multiple regulations and standards. Download this free IDC white paper
and find out how to map controls to the appropriate regulations, saving
time and expense in demonstrating compliance.
http://list.windowsitpro.com/t?ctl=4C350:57B62BBB09A692791DE937E2FA56D245
=== ANNOUNCEMENTS =============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
http://list.windowsitpro.com/t?ctl=4C356:57B62BBB09A692791DE937E2FA56D245
Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting April nominations now, but only for a limited
time! Submit your nomination today:
http://list.windowsitpro.com/t?ctl=4C365:57B62BBB09A692791DE937E2FA56D245
===============================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=4C363:57B62BBB09A692791DE937E2FA56D245
http://list.windowsitpro.com/t?ctl=4C369:57B62BBB09A692791DE937E2FA56D245
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=4C358:57B62BBB09A692791DE937E2FA56D245
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=4C367:57B62BBB09A692791DE937E2FA56D245
About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=4C357:57B62BBB09A692791DE937E2FA56D245
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
__________________________________________
Visit the InfoSec News Security Bookstore!
http://www.shopinfosecnews.org
Site design & layout copyright © 1986- CodeGods