Category: News

Security Enhancements and Fixes in PHP 5.2.0

php

  • Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep track of character set encoding whenever possible.
  • Added allow_url_include, set to Off by default to disallow use of URLs for include and require.
  • Disable realpath cache when open_basedir and safe_mode are being used.
  • Improved safe_mode enforcement for error_log() function.
  • Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions.
  • Added missing safe_mode and open_basedir checks for the cURL extension.
  • Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines.
  • Fixed handling of long paths inside the tempnam() function.
  • Fixed safe_mode/open_basedir checks for session.save_path, allowing them to account for extra parameters.
  • Fixed ini setting overload in the ini_restore() function.

OllyStepNSearch v0.6.0

Didier Stevens has released a new version of his OllyDbg plugin called OllyStepNSearch.

About OllyDbg:
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

More information can be found here.

About OllyStepNSearch:
This plugin allows you to search for a given text when automatically
stepping through the debugged program.

When the plugin is enabled, it will step automatically through the debugged
program once a step command (like Step Into) is issued.

More information can be found here.

Here is a movie of this example on YouTube, a High Res (XviD) version can be found here.

The “Less Than Zero Threat”

Interesting article (part 1 / part 2) by Alan Shimel on the concept of the “Less Than Zero Day Exploit”.

less_than_zero

From the article:

Once a vulnerability is publicly announced, the zero-day clock starts ticking. The announcement is typically followed by some period of time before a patch is made available. This is the Zero-Day period. According to accepted wisdom, organizations face the greatest danger when an attack or exploit targeting the vulnerability is verified in the “wild.”

Some believe this is a flawed argument. As evidence, they point to “underground” vulnerabilities and exploits that are equally as dangerous and much more difficult to detect and protect against because they are “unknown.” At StillSecure we call this class Less-Than-Zero Threat. The chart below shows the relationship between the Less-Than-Zero threat and the Zero-Day threat and the level of risk they pose to the organization. It also takes into account such factors as responsible disclosure, patch deployment, etc.

The conclusion:

Zero-Day, Less-Than-Zero, patching, exploits…the world is a dangerous place. While our attention has been focused by some security vendors and the press on the Zero-Day attack, the Less-Then-Zero threat is also significant enough to warrant your attention and resources. The reason you don’t hear a lot about this type of attack is because the majority of vendors don’t have a silver bullet to sell you for solving the problem. There is still no substitute for good, old-fashioned, best practices in security.

I completely agree with Alan’s final statement. No product is a substitute for security best practices.

Scroll to top