Apache, Apple, PHP Release Security Updates
The past few days has been filled with security patches and updates that may have slipped past IT administrators.
Apache released its HTTP Server 2.2.22 which included fixes to six significant security flaws. Most of the vulnerabilities were rated either moderate or low. Apache fixed two low-priority privilege escalation issues, three moderate-priority exposure flaws, and another low priority bug that could be exploited with a malicious cookie in the 2.2.22 release.
Apple updated Mac OS X Snow Leopard and Lion with a massive Security Update on Feb 1. Apple released Security Update 1.1 on Feb. 4 to address some of the issues that was introduced with the earlier update. Mac OS X Security Update 2012-001 v1.1 also removed the three ImageIO fix that had been part of the original update but did not provide any explanations as to why.
The PHP team also released PHP 5.3.10 to fix a remote code execution vulnerability that had been introduced in a previous update on Feb. 3. A pair of researchers at the Chaos Communication Congress conference in Germany demonstrated a new technique in December that could cause a denial of service condition. The vulnerability existed in several Web application frameworks, including ASP.NET, Apache Tomcat, Oracle Glassfish Server and PHP. The PHP team released version 5.3.9 in January to address the hash collision problem.
PHP fixed the issue by limiting the number of input parameters and didn't introduce a new function. The "max_input_var" parameter limited the number of input parameters a request may send to 1,000. It turned out the fix was implemented incorrectly and instead, introduced a remote code execution flaw in PHP 5.3.9. An attacker would be able to craft a malicious request that could executive code on a Web server running PHP 5.3.9.
Administrators running PHP 5.3.9 should patch immediately. The SANS Institute's Johannes Ullrish recommended that administrators running PHP 5.3.8 actually wait and not upgrade at all.