Security UPDATE--A Month of PHP Bugs--February 28, 2007

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Free White Paper: Address the Insider Threat

http://findtechinfo.com/penton/nl/250

Filtering the Spectrum of Internet Threats

http://www.windowsitpro.com/go/whitepaper/stbernard/internetthreats/?code=SECMid0228

Automatically fix links when you move files!

http://list.windowsitpro.com/t?ctl=44A7B:21AD1

CONTENTS

===========================================

IN FOCUS: A Month of PHP Bugs NEWS AND FEATURES - TJX Data Breach Investigation Reveals More Exposure - Vista Tips for IT Pros - CastleCops Endures DDoS Attack - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: My Toaster Crashed - FAQ: Recovering Disk Access After Renaming Servers - From the Forum: "Act as part of the operating system" Permission - Share Your Security Tips PRODUCTS - Policy Control Software Adds SNMP Event Monitoring - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: NetIQ

===================================

Free White Paper: Address the Insider Threat Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat. http://findtechinfo.com/penton/nl/250 === IN FOCUS: A Month of PHP Bugs

===

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might recall that back in December 2006, Stefan Esser resigned from the PHP Security Response Team in disgust. At the time, Esser said that "any attempt to improve the security of PHP from the inside is futile.... The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin." Suhosin is of course a fantastic patch for the PHP source code that makes it far more secure than it is without the patch. If you haven't read about Suhosin, you can do so at the URL below. http://www.windowsitpro.com/Article/ArticleID/94673/94673.html In response to Esser leaving the PHP Security Response Team, Zeev Suraski wrote that he'd "like to take the opportunity, again, and ask Stefan to come back to [the] security team, and work with the project and not against it. As any project that has hundreds of people contributing to it, you never find yourself in agreement with everyone at any given time. It doesn't mean that those who don't think exactly like you are your 'enemies,' and it certainly doesn't mean you should quit and turn to the 'other side.'" It seems to me that if Suraski is serious about wanting Esser back, then he could have gone without the two less-than-subtle digs at Esser. http://www.suraski.net/blog/index.php?/archives/17-PHP-Security.html So far, Esser has not returned to the team, and earlier this month, he declared that he's going to launch a "Month of PHP Bugs." He's now decided that March 2007 will be the month to do that. As is the trend, every day for the month of March, Esser will post about at least one bug in PHP. You can read more about it at the URL below. http://blog.php-security.org/archives/71-Month-of-PHP-Bugs-and-PHP-5.2.1.html PHP is widely used, and many of you undoubtedly have it in use on your systems. You should probably keep an eye on Esser's Web site in March to learn of the newly disclosed PHP bugs so that you can take action to defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5, both released in the second week of February 2007, so be sure you're using the latest version. You should also seriously consider integrating the Suhosin patch as soon as you can--if you can. Unfortunately, no precompiled package of PHP that includes Suhosin seems to be available, so you're on your own and will need to compile the patch yourself. http://www.php.net http://www.hardened-php.net/suhosin/index.html === SPONSOR: St. Bernard Software

====================

Filtering the Spectrum of Internet Threats Examine the threats of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. Download this free white paper now! http://www.windowsitpro.com/go/whitepaper/stbernard/internetthreats/?code=SECMid0228 === SECURITY NEWS AND FEATURES

=======================

TJX Data Breach Investigation Reveals More Exposure The TJX Companies reported that its data breach was more severe than it had originally detected. http://www.windowsitpro.com/Article/ArticleID/95269 Vista Tips for IT Pros Windows Vista has lots of little changes that will affect IT professionals and administrators. Learn more about them in this article on our Web site. http://www.windowsitpro.com/Article/ArticleID/95020 CastleCops Endures DDoS Attack CastleCops, an online security community whose charter is to help fight malware and phishing scams, fell under Distributed Denial of Service (DDoS) attacks beginning February 13. http://www.windowsitpro.com/Article/ArticleID/95283 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Linktek

=================================

Automatically fix links when you move files! Patented LinkFixerPlus is the first application that automatically fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, InDesign, PageMaker, AutoCAD and other files when performing data migrations due to: server consolidations, server name changes, path name changes or folder reorganizations! Detailed broken link reporting too! Download the FREE trial version NOW at http://list.windowsitpro.com/t?ctl=44A7B:21AD1 === GIVE AND TAKE

====================================

SECURITY MATTERS BLOG: My Toaster Crashed by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Coding errors create security bugs. It's as simple as that. So don't be surprised if someone crashes your toaster someday. Read this blog article to learn just how easily some devices can be crashed. http://www.windowsitpro.com/Article/ArticleID/95267 FAQ: Recovering Disk Access After Renaming Servers by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: I've renamed servers using a special script but am now having problems accessing disks via the Microsoft Management Console (MMC) Disk Management snap-in. What's the problem? Find the answer at http://www.windowsitpro.com/Article/ArticleID/95252 FROM THE FORUM: "Act as part of the operating system" Permission A forum participant has an application that requires the "Act as part of the operating system" right to operate correctly on Windows 2000 systems. However, the same application doesn't require this right on Windows XP systems. He wonders why this is the case and what the implications are of granting an application this right. Join the conversation at the URL below. http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=84049&enterthread=y SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS

=========================================

by Renee Munshi, [email protected] Policy Control Software Adds SNMP Event Monitoring Active Reasoning announced the availability of Active Reasoning System 5, which lets businesses embed IT policy controls in business systems and applications to provide real-time change detection and configuration auditing. Active Reasoning automatically maps policy frameworks and controls to the users, applications, systems, network devices, files, and databases that need to be monitored to enforce the policies. New in System 5, SNMP event monitoring lets Active Reasoning collect event and change information from network devices in addition to applications and servers. For more information, go to http://www.activereasoning.com WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS

=============================

For more security-related resources, visit http://www.windowsitpro.com/go/securityresources Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traveling your network. http://www.windowsitpro.com/go/whitepapers/stbernard/cleanup/?code=0226e&r How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration testing is needed to augment your existing vulnerability management processes. Learn more today! http://www.windowsitpro.com/go/seminars/coresecurity/vulnerability/?code=0226e&r Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes Windows plus UNIX/Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://www.techxworld.com/registration/?code=epromo === FEATURED WHITE PAPER

=============================

One common set of controls can help you manage compliance across multiple regulations and standards. Download this free IDC white paper and find out how to map controls to the appropriate regulations, saving time and expense in demonstrating compliance. http://www.windowsitpro.com/go/whitepapers/symantec/compliance?code=0226featwp === ANNOUNCEMENTS

====================================

Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! https://store.pentontech.com/index.cfm?s=1&promocode=eu2572us Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today: http://www.windowsitpro.com/go/itpromonth

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.