News

Wednesday, December 20, 2006

Suhosin: A Guardian Angel for PHP

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy
Enterprise.

http://list.windowsitpro.com/t?ctl=44360:886699

Discover Atempo's leading PC backup solution.

http://list.windowsitpro.com/t?ctl=44368:886699

Podcast: Five Keys to Choosing the Right Antispyware Solution

http://list.windowsitpro.com/t?ctl=4435E:886699


=== CONTENTS ===================================================

IN FOCUS: Suhosin: A Guardian Angel for PHP

NEWS AND FEATURES
- Triple Threat Against Microsoft Word
- Metavize Changes Name and Strategy
- Forefront Security for Exchange Server Released
- Recent Security Vulnerabilities

GIVE AND TAKE
- Know Your IT Security Contest Winners!
- Security Matters Blog: More Goodies for Your Security Toolkit
- FAQ: What Is Microsoft Forefront?
- From the Forum: Determining Activity from the Security Log
- Share Your Security Tips

PRODUCTS
- Monitor Your Database from Afar
- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Sunbelt ===========================================

Is Your Antivirus Effective in Detecting Spyware? Test Drive CounterSpy
Enterprise.
Are you protected company-wide against spyware, keyloggers, adware,
and backdoor Trojans? Test the state of the art scanning engine that
uses threat signatures from multiple sources to track down the culprits
that antivirus solutions alone can't protect you against. Download your
free 30 day trial of CounterSpy Enterprise today!

http://list.windowsitpro.com/t?ctl=44360:886699


=== IN FOCUS: Suhosin: A Guardian Angel for PHP ================
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

PHP is a hugely popular programming language used on countless Web
sites. It's basically a scripting language, which essentially means
that it compiles at runtime. PHP has a lot of community support, so a
ton of open-source libraries are available for many different tasks.
Some of the most popular applications available today, such as
WordPress, are powered by PHP.

PHP isn't without its security problems. Over the years, the developers
have worked to fix the problems, but sometimes not fast enough to
please everyone. Last week, PHP developer Stefan Esser resigned from
the PHP Security Response Team in disgust.

In his blog, Esser wrote that "[the reasons why I resigned] are many,
but the most important one is that I have realised that any attempt to
improve the security of PHP from the inside is futile." Esser went on
to say that, "The PHP Group will jump into your boat as soon you try to
blame PHP's security problems on the user but the moment you criticize
the security of PHP itself you become persona non grata. I stopped
counting the times I was called immoral traitor for disclosing security
holes in PHP or for developing Suhosin."

http://list.windowsitpro.com/t?ctl=44361:886699

In closing, Esser wrote, "For the ordinary PHP user [my resignation]
means that I will no longer hide the slow response time to [PHP]
security holes in my advisories. It will also mean that some of my
advisories will come without patches available, because the PHP
Security Response Team refused to fix them for months. It will also
mean that there will be a lot more advisories about security holes in
PHP."

Fortunately, Esser did develop Suhosin, which is a powerful security
patch for PHP. The name is a South Korean word that essentially means
"guardian angel." If you use PHP and you've never looked at Suhosin,
you're missing some great security enhancements. You can find a
complete list of the configuration options that Suhosin introduces at
the URL below. Just to give you a quick example, Suhosin lets you gain
better control over crucial aspects of PHP applications, such as cookie
functionality, session parameters, SQL parameters, and more.
Effectively, it lets you filter a lot of stuff that might otherwise
become dangerous.

http://list.windowsitpro.com/t?ctl=4436A:886699

Installing Suhosin requires that you recompile PHP. This is a simple
task on Linux platforms but might prove more difficult on Windows,
which doesn't come with a PHP compiler. If you can get access to the
required tools on Windows or you use PHP on a Linux system, installing
Suhosin is definitely worth the effort.

In a nutshell, you download the PHP source code, the Suhosin patch, and
the Suhosin extension source code. Then you apply the patch and compile
PHP. After that, you compile the Suhosin extension. With that done, you
add one line to your php.ini file to tell PHP to load the extension.
That's about it. Then you can configure Suhosin to your exact needs by
adding parameters to your php.ini file. However, as is mentioned on the
Web site, you can probably use most of the features in the default
configuration, which means your implementation effort doesn't require a
lot of time reading through the explanations for dozens of possible
settings.

I'm not aware of any PHP packages precompiled with Suhosin for Windows.
If you know of one, send me an email message with information about
where to get it and I'll share that information with the readers of
this newsletter.

If you run PHP without Suhosin, your PHP-based applications are far
more vulnerable than they need to be. Head over to the Suhosin site and
take a look, and I think you'll agree that Suhosin is an essential
addition to your PHP platform.

http://list.windowsitpro.com/t?ctl=44374:886699


=== SPONSOR: Atempo ============================================

Discover Atempo's leading PC backup solution.
Stop losing valuable information stored on your employees' laptops!
The financial impact of information loss and system failure can be very
high and recovering data or a corrupted system is complicated and time
consuming. In today's enterprise, the workforce is highly mobile, and
business-critical information is most often stored on globe-trotting
laptops. Atempo LiveBackup can put an end to your mobile data
headaches. This automatic and continuous backup software keeps laptop
data protected up to the moment of failure and empowers end-users to
recover files by themselves.

http://list.windowsitpro.com/t?ctl=44368:886699


=== SECURITY NEWS AND FEATURES =================================

Triple Threat Against Microsoft Word
Three exploits that affect Microsoft Word were released in the last
two weeks. At least one of the exploits also reportedly affects the
OpenOffice platform.

http://list.windowsitpro.com/t?ctl=4436E:886699

Metavize Changes Name and Strategy
California-based Untangle, formerly Metavize, recently announced the
company's name change and a new plan to offers its products free to
very small companies.

http://list.windowsitpro.com/t?ctl=44370:886699

Forefront Security for Exchange Server Released
Coinciding with the release of Exchange Server 2007, Microsoft
released Forefront Security for Exchange Server, based on Sybari's
Antigen for Exchange.

http://list.windowsitpro.com/t?ctl=4436D:886699

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=44363:886699


=== SPONSOR: PC Tools ==========================================

Podcast: Five Keys to Choosing the Right Antispyware Solution
Randy Franklin Smith outlines five evaluation points to consider
when choosing your anti-spyware solution in this free podcast. Download
it today!

http://list.windowsitpro.com/t?ctl=4435E:886699


=== GIVE AND TAKE ==============================================

KNOW YOUR IT SECURITY Contest Winners!
Congratulations to the winners of the Know Your IT Security Contest:
Rob John, Josh Kunken, John Penrose, Gregory Smith, Jim Turner, Tony
Weil, and Will Willis. Their entries on a variety of topics--from
creative use of a network monitor to aid in an investigation of stolen
laptops to a script that takes a security snapshot of key domain groups
and reports on changes--will appear on the Security Pro VIP Web site in
the coming months. And each winner will receive a Microsoft Zune,
courtesy of our contest sponsor: Microsoft Learning Paths for Security
(at the URL below). Thanks to all who participated.

http://list.windowsitpro.com/t?ctl=44371:886699

SECURITY MATTERS BLOG: More Goodies for Your Security Toolkit
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=44376:886699

Still have room in your security toolkit? Read this blog article to
learn about a few more tools you might want to add.

http://list.windowsitpro.com/t?ctl=4436F:886699

FAQ: What Is Microsoft Forefront?
by John Savill, http://list.windowsitpro.com/t?ctl=44373:886699


Q: What is Microsoft Forefront?

Find the answer at

http://list.windowsitpro.com/t?ctl=4436C:886699

FROM THE FORUM: Determining Activity from the Security Log
A forum participant is wondering how to determine what caused a
certain authentication to take place. The caller username shows the
server name followed by the dollar sign. The logon type is 3 with an
event ID of 540. Kerberos is the authentication package. Offer your
input at the URL below:

http://list.windowsitpro.com/t?ctl=4435A:886699

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's
Reader to Reader column. Email your contributions to
r2rwinitsec@windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

Monitor Your Database from Afar
RippleTech announced the release of Informant 2.0. The new version
of the database security application has a Web-based administration
console that lets you monitor database and application security from
any location at any time. Other upgrades include role-based access to
reports, secure management of audit logs, centralized reporting across
supported database servers (including Microsoft SQL Server, Oracle, and
IBM DB2), and integration with the security event management framework
(SIEM). Informant alerts IT administrators about unauthorized attempts
to access applications and databases and creates an audit trail for
forensics. For more information about Informant 2.0, go to

http://list.windowsitpro.com/t?ctl=4437A:886699

WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@windowsitpro.com and get a Best Buy gift certificate.


=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=44372:886699

Are you an Oracle professional who has cross-platform responsibilities,
or do you need to transfer your skill set to SQL Server? If so,
register for free to attend the Cross Platform Data online event
January 30 and 31 and February 1, 2007. In a seminar featuring SQL
Server/Oracle experts Andrew Sisson from Scalability Experts and
Douglas McDowell from Solid Quality Learning, you'll learn key concepts
about SQL Server 2005, including how to deploy SQL Server's BI
capabilities on Oracle, proof points demonstrating that SQL Server is
enterprise-ready, and how to successfully deploy Oracle on the Windows
platform.

http://list.windowsitpro.com/t?ctl=4436B:886699

Learn all you need to know about code signing technology, including the
goals and benefits of code signing, how code signing works, and the
underlying cryptographic and security concepts and building blocks.

http://list.windowsitpro.com/t?ctl=44362:886699

Take the necessary steps for application management, from conversion of
legacy applications to MSI to customizing applications to fit corporate
standards. Don't overlook an important component of an OS migration--
join us for the free on-demand Web seminar.

http://list.windowsitpro.com/t?ctl=4435B:886699

Total Cost of Ownership--TCO. It's every executive's favorite buzzword,
but what does it really mean and how does it affect you? In this
podcast, Ben Smith explains how your organization can use
virtualization technology to measurably improve the TCO for servers and
clients.

http://list.windowsitpro.com/t?ctl=4435F:886699

Does your company have $500,000 US to spend on one email discovery
request? Join us for this free Web seminar to learn how you can
implement an email archiving solution to optimize email management and
proactively take control of e-discovery--and save the IT search party
for when you really need it! On-Demand Web Seminar

http://list.windowsitpro.com/t?ctl=4435C:886699

Find the buried treasure by uncovering the secrets to Web filtering.
Complete this quiz correctly and you could be a winner!

http://list.windowsitpro.com/t?ctl=44369:886699


=== FEATURED WHITE PAPER =======================================

Branch offices need flexibility and autonomy in implementing IT
solutions; corporate requirements require centralized management,
security, and compliance initiatives. Learn to resolve these conflicts
and reduce your operational costs for branch offices with limited IT
resources. Download the free white paper today!

http://list.windowsitpro.com/t?ctl=4435D:886699


BONUS: Register for any white paper from Windows IT Pro in the month of
December, and be entered to win a Wii! Visit
http://list.windowsitpro.com/t?ctl=44378:886699 for more information
and a complete white paper listing.


=== ANNOUNCEMENTS ==============================================

Holiday Offer--Save $40 off Windows IT Pro
Don't miss Windows IT Pro magazine in 2007! As a subscriber, you'll
have full access to must-have content covering Windows Vista
deployment, virtualization & disaster recovery, Active Directory
enhancements, the Office 2007 launch, SharePoint fundamentals, and much
more. Order now and save $40:

http://list.windowsitpro.com/t?ctl=44364:886699

Vote for the Next "IT Pro of the Month!"
Your vote counts! Take the time to reward excellence in an IT pro
who deserves it. The first 100 readers to cast a vote will receive a
one-year subscription to Windows IT Pro, compliments of Microsoft.
Voting takes only a few seconds, so don't miss out. Cast your vote now:

http://list.windowsitpro.com/t?ctl=44377:886699


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and the Windows IT Security newsletter
(subscribe at the second URL below).

http://list.windowsitpro.com/t?ctl=44375:886699

http://list.windowsitpro.com/t?ctl=44365:886699

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=44367:886699

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB177E93A92E9673224

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=44379:886699

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=44366:886699

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive