The Glider

Microsoft on Friday wrapped up a three-day campaign against rival Google by claiming its newest browser, Internet Explorer 9, is superior in stopping users from being tracked by online advertisers.

In what's turning out to be quite a busy Friday for the hacking collective, Anonymous today said it has broken into the website of a law firm that represented a U.S. Marine accused of killing civilians in Haditha, Iraq.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Just about a month ago, PHP 5.3.9 was released, which included a patch for the hash collision problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December).
PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a max_input_var parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.
Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.
Today, the PHP team released PHP 5.3.10 to address the issue.
If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug
If you are running PHP 5.3.8: DO NOT UPGRADE TO 5.3.9. I would actually recommend that you wait.
Additionally, try to enable Suhosin if at all possible. There is a slight performance hit, but it is unlikely to break your web application unless you are already tight in resources. Many Linux distributions include Suhosin, so it may be pretty easy to set up.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Germany's cyber security agency today recommended that Windows 7 users run Google's Chrome browser, citing the application's sandbox and auto-update features.

VeriSign didn't disclose that it had been successfully attacked several times in 2010 because the security team didn't tell management about the incidents until recently. - VeriSign, the company responsible for the .com, .net and .gov domain spaces, acknowledged in a recent filing with the Securities and Exchange Commission that it was hacked several times in 2010. The company had not disclosed the incidents at the time they occurred. While VeriSign admitted to t...

Windows Phone 8 will integrate in many ways with Windows 8, among other features such as BitLocker encryption, according to two new reports. - Windows Phone 8 will support multicore processors and native BitLocker encryption, and integrate in many ways with the upcoming Windows 8. Those are just a few of the features mentioned in a Pocketnow.com report Feb. 2, many of which were subsequently confirmed by Paul Thurrott in a posting on ...

Google's Android operating system is regularly blasted for fragmentation. It won't be mistaken for Apple iOS, but it might not be as bad as we originally thought. - Much of the negative conversation concerning Google's (NASDAQ:GOOG) Android platform is predicated on the fact that it's fragmented. Specifically, the concern is that there too many operating system builds spanning Android 2.0 to Android 4.0, too many devices and handset makers clogging an a...

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.