Security UPDATE--Suhosin: A Guardian Angel for PHP--December 20, 2006


Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy Enterprise.

Discover Atempo's leading PC backup solution.

Podcast: Five Keys to Choosing the Right Antispyware Solution



IN FOCUS: Suhosin: A Guardian Angel for PHP


- Triple Threat Against Microsoft Word

- Metavize Changes Name and Strategy

- Forefront Security for Exchange Server Released

- Recent Security Vulnerabilities


- Know Your IT Security Contest Winners!

- Security Matters Blog: More Goodies for Your Security Toolkit

- FAQ: What Is Microsoft Forefront?

- From the Forum: Determining Activity from the Security Log

- Share Your Security Tips


- Monitor Your Database from Afar

- Wanted: Your Reviews of Products




=== SPONSOR: Sunbelt


Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy Enterprise.

Are you protected company-wide against spyware, keyloggers, adware, and backdoor Trojans? Test the state of the art scanning engine that uses threat signatures from multiple sources to track down the culprits that antivirus solutions alone can't protect you against. Download your free 30 day trial of CounterSpy Enterprise today!

=== IN FOCUS: Suhosin: A Guardian Angel for PHP


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

PHP is a hugely popular programming language used on countless Web sites. It's basically a scripting language, which essentially means that it compiles at runtime. PHP has a lot of community support, so a ton of open-source libraries are available for many different tasks. Some of the most popular applications available today, such as WordPress, are powered by PHP.

PHP isn't without its security problems. Over the years, the developers have worked to fix the problems, but sometimes not fast enough to please everyone. Last week, PHP developer Stefan Esser resigned from the PHP Security Response Team in disgust.

In his blog, Esser wrote that "\[the reasons why I resigned\] are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile." Esser went on to say that, "The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."

In closing, Esser wrote, "For the ordinary PHP user \[my resignation\] means that I will no longer hide the slow response time to \[PHP\] security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP."

Fortunately, Esser did develop Suhosin, which is a powerful security patch for PHP. The name is a South Korean word that essentially means "guardian angel." If you use PHP and you've never looked at Suhosin, you're missing some great security enhancements. You can find a complete list of the configuration options that Suhosin introduces at the URL below. Just to give you a quick example, Suhosin lets you gain better control over crucial aspects of PHP applications, such as cookie functionality, session parameters, SQL parameters, and more. Effectively, it lets you filter a lot of stuff that might otherwise become dangerous.

Installing Suhosin requires that you recompile PHP. This is a simple task on Linux platforms but might prove more difficult on Windows, which doesn't come with a compiler. If you can get access to the required tools on Windows or you use PHP on a Linux system, installing Suhosin is definitely worth the effort.

In a nutshell, you download the PHP source code, the Suhosin patch, and the Suhosin extension source code. Then you apply the patch and compile PHP. After that, you compile the Suhosin extension. With that done, you add one line to your php.ini file to tell PHP to load the extension. That's about it. Then you can configure Suhosin to your exact needs by adding parameters to your php.ini file. However, as is mentioned on the Web site, you can probably use most of the features in the default configuration, which means your implementation effort doesn't require a lot of time reading through the explanations for dozens of possible settings.

I'm not aware of any PHP packages precompiled with Suhosin for Windows. If you know of one, send me an email message with information about where to get it and I'll share that information with the readers of this newsletter.

If you run PHP without Suhosin, your PHP-based applications are far more vulnerable than they need to be. Head over to the Suhosin site and take a look, and I think you'll agree that Suhosin is an essential addition to your PHP platform.

=== SPONSOR: Atempo


Discover Atempo's leading PC backup solution.

Stop losing valuable information stored on your employees' laptops! The financial impact of information loss and system failure can be very high and recovering data or a corrupted system is complicated and time consuming. In today's enterprise, the workforce is highly mobile, and business-critical information is most often stored on globe-trotting laptops. Atempo LiveBackup can put an end to your mobile data headaches. This automatic and continuous backup software keeps laptop data protected up to the moment of failure and empowers end-users to recover files by themselves.



Triple Threat Against Microsoft Word

Three exploits that affect Microsoft Word were released in the last two weeks. At least one of the exploits also reportedly affects the OpenOffice platform.

Metavize Changes Name and Strategy

California-based Untangle, formerly Metavize, recently announced the company's name change and a new plan to offers its products free to very small companies.

Forefront Security for Exchange Server Released

Coinciding with the release of Exchange Server 2007, Microsoft released Forefront Security for Exchange Server, based on Sybari's Antigen for Exchange.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: PC Tools


Podcast: Five Keys to Choosing the Right Antispyware Solution

Randy Franklin Smith outlines five evaluation points to consider when choosing your anti-spyware solution in this free podcast. Download it today!




Congratulations to the winners of the Know Your IT Security Contest: Rob John, Josh Kunken, John Penrose, Gregory Smith, Jim Turner, Tony Weil, and Will Willis. Their entries on a variety of topics--from creative use of a network monitor to aid in an investigation of stolen laptops to a script that takes a security snapshot of key domain groups and reports on changes--will appear on the Security Pro VIP Web site in the coming months. And each winner will receive a Microsoft Zune, courtesy of our contest sponsor: Microsoft Learning Paths for Security (at the URL below). Thanks to all who participated.

SECURITY MATTERS BLOG: More Goodies for Your Security Toolkit

by Mark Joseph Edwards,

Still have room in your security toolkit? Read this blog article to learn about a few more tools you might want to add.

FAQ: What Is Microsoft Forefront?

by John Savill,

Q: What is Microsoft Forefront?

Find the answer at

FROM THE FORUM: Determining Activity from the Security Log

A forum participant is wondering how to determine what caused a certain authentication to take place. The caller username shows the server name followed by the dollar sign. The logon type is 3 with an event ID of 540. Kerberos is the authentication package. Offer your input at the URL below:


Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Monitor Your Database from Afar

RippleTech announced the release of Informant 2.0. The new version of the database security application has a Web-based administration console that lets you monitor database and application security from any location at any time. Other upgrades include role-based access to reports, secure management of audit logs, centralized reporting across supported database servers (including Microsoft SQL Server, Oracle, and IBM DB2), and integration with the security event management framework (SIEM). Informant alerts IT administrators about unauthorized attempts to access applications and databases and creates an audit trail for forensics. For more information about Informant 2.0, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

Are you an Oracle professional who has cross-platform responsibilities, or do you need to transfer your skill set to SQL Server? If so, register for free to attend the Cross Platform Data online event January 30 and 31 and February 1, 2007. In a seminar featuring SQL Server/Oracle experts Andrew Sisson from Scalability Experts and Douglas McDowell from Solid Quality Learning, you'll learn key concepts about SQL Server 2005, including how to deploy SQL Server's BI capabilities on Oracle, proof points demonstrating that SQL Server is enterprise-ready, and how to successfully deploy Oracle on the Windows platform.

Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works, and the underlying cryptographic and security concepts and building blocks.

Take the necessary steps for application management, from conversion of legacy applications to MSI to customizing applications to fit corporate standards. Don't overlook an important component of an OS migration--join us for the free on-demand Web seminar.

Total Cost of Ownership--TCO. It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients.

Does your company have $500,000 US to spend on one email discovery request? Join us for this free Web seminar to learn how you can implement an email archiving solution to optimize email management and proactively take control of e-discovery--and save the IT search party for when you really need it! On-Demand Web Seminar

Find the buried treasure by uncovering the secrets to Web filtering. Complete this quiz correctly and you could be a winner!



Branch offices need flexibility and autonomy in implementing IT solutions; corporate requirements require centralized management, security, and compliance initiatives. Learn to resolve these conflicts and reduce your operational costs for branch offices with limited IT resources. Download the free white paper today!

BONUS: Register for any white paper from Windows IT Pro in the month of December, and be entered to win a Wii! Visit for more information and a complete white paper listing.



Holiday Offer--Save $40 off Windows IT Pro

Don't miss Windows IT Pro magazine in 2007! As a subscriber, you'll have full access to must-have content covering Windows Vista deployment, virtualization & disaster recovery, Active Directory enhancements, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save $40:

Vote for the Next "IT Pro of the Month!"

Your vote counts! Take the time to reward excellence in an IT pro who deserves it. The first 100 readers to cast a vote will receive a one-year subscription to Windows IT Pro, compliments of Microsoft. Voting takes only a few seconds, so don't miss out. Cast your vote now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.