Security UPDATE--A Month of PHP Bugs--February 28, 2007


Free White Paper: Address the Insider Threat

Filtering the Spectrum of Internet Threats

Automatically fix links when you move files!



IN FOCUS: A Month of PHP Bugs


- TJX Data Breach Investigation Reveals More Exposure

- Vista Tips for IT Pros

- CastleCops Endures DDoS Attack

- Recent Security Vulnerabilities


- Security Matters Blog: My Toaster Crashed

- FAQ: Recovering Disk Access After Renaming Servers

- From the Forum: "Act as part of the operating system" Permission

- Share Your Security Tips


- Policy Control Software Adds SNMP Event Monitoring

- Wanted: Your Reviews of Products






Free White Paper: Address the Insider Threat

Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat.

=== IN FOCUS: A Month of PHP Bugs


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You might recall that back in December 2006, Stefan Esser resigned from the PHP Security Response Team in disgust. At the time, Esser said that "any attempt to improve the security of PHP from the inside is futile.... The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."

Suhosin is of course a fantastic patch for the PHP source code that makes it far more secure than it is without the patch. If you haven't read about Suhosin, you can do so at the URL below.

In response to Esser leaving the PHP Security Response Team, Zeev Suraski wrote that he'd "like to take the opportunity, again, and ask Stefan to come back to \[the\] security team, and work with the project and not against it. As any project that has hundreds of people contributing to it, you never find yourself in agreement with everyone at any given time. It doesn't mean that those who don't think exactly like you are your 'enemies,' and it certainly doesn't mean you should quit and turn to the 'other side.'" It seems to me that if Suraski is serious about wanting Esser back, then he could have gone without the two less-than-subtle digs at Esser.

So far, Esser has not returned to the team, and earlier this month, he declared that he's going to launch a "Month of PHP Bugs." He's now decided that March 2007 will be the month to do that. As is the trend, every day for the month of March, Esser will post about at least one bug in PHP. You can read more about it at the URL below.

PHP is widely used, and many of you undoubtedly have it in use on your systems. You should probably keep an eye on Esser's Web site in March to learn of the newly disclosed PHP bugs so that you can take action to defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5, both released in the second week of February 2007, so be sure you're using the latest version.

You should also seriously consider integrating the Suhosin patch as soon as you can--if you can. Unfortunately, no precompiled package of PHP that includes Suhosin seems to be available, so you're on your own and will need to compile the patch yourself.

=== SPONSOR: St. Bernard Software


Filtering the Spectrum of Internet Threats

Examine the threats of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. Download this free white paper now!



TJX Data Breach Investigation Reveals More Exposure

The TJX Companies reported that its data breach was more severe than it had originally detected.

Vista Tips for IT Pros

Windows Vista has lots of little changes that will affect IT professionals and administrators. Learn more about them in this article on our Web site.

CastleCops Endures DDoS Attack

CastleCops, an online security community whose charter is to help fight malware and phishing scams, fell under Distributed Denial of Service (DDoS) attacks beginning February 13.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Linktek


Automatically fix links when you move files!

Patented LinkFixerPlus is the first application that automatically fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, InDesign, PageMaker, AutoCAD and other files when performing data migrations due to: server consolidations, server name changes, path name changes or folder reorganizations! Detailed broken link reporting too!

Download the FREE trial version NOW at




by Mark Joseph Edwards,

Coding errors create security bugs. It's as simple as that. So don't be surprised if someone crashes your toaster someday. Read this blog article to learn just how easily some devices can be crashed.

FAQ: Recovering Disk Access After Renaming Servers

by John Savill,

Q: I've renamed servers using a special script but am now having problems accessing disks via the Microsoft Management Console (MMC) Disk Management snap-in. What's the problem?

Find the answer at

FROM THE FORUM: "Act as part of the operating system" Permission

A forum participant has an application that requires the "Act as part of the operating system" right to operate correctly on Windows 2000 systems. However, the same application doesn't require this right on Windows XP systems. He wonders why this is the case and what the implications are of granting an application this right. Join the conversation at the URL below.


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Policy Control Software Adds SNMP Event Monitoring

Active Reasoning announced the availability of Active Reasoning System 5, which lets businesses embed IT policy controls in business systems and applications to provide real-time change detection and configuration auditing. Active Reasoning automatically maps policy frameworks and controls to the users, applications, systems, network devices, files, and databases that need to be monitored to enforce the policies. New in System 5, SNMP event monitoring lets Active Reasoning collect event and change information from network devices in addition to applications and servers. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traveling your network.

How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration testing is needed to augment your existing vulnerability management processes. Learn more today!

Windows + UNIX/Linux = You Need TechX World!

If you work in an environment that includes Windows plus UNIX/Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today!



One common set of controls can help you manage compliance across multiple regulations and standards. Download this free IDC white paper and find out how to map controls to the appropriate regulations, saving time and expense in demonstrating compliance.



Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.