Zend Patches High-Risk Security Flaw in PHP

March 4, 2014 Alex Woodie

Zend Technology last week issued emergency hotfixes for the latest PHP runtimes for IBM i, Windows, and Linux to fix a high-risk security vulnerability in PHP that could enable an attacker to execute arbitrary code on affected systems.

Zend on Thursday announced the immediate availability of Zend Server 6.3 Hotfix 1. The hotfix implements a new release of the PHP language, version 5.5.9, and thereby patches a security flaw in its Zend Server PHP runtimes for IBM i, Windows, and Linux platforms. There is no hotfix for the Zend version 6.3 runtime for Mac OS X.

The patch addresses the “imagecrop()” buffer overflow vulnerability that is referenced in CVE-2013-7226. The vulnerability, caused by improper bounds checking, could enable a malicious user to execute arbitrary code or a denial of service (DOS) attack. It is a “high risk” security vulnerability, according to IBM’s ISS X-Force report.

The emergency hotfix comes just over a week after the company shipped Zend Server version 6.3, the first release of the PHP runtime to support the new PHP version 5.5 language. The release of that runtime coincided with the launch of Zend’s new long-term support policy, under which Zend expanded its technical support window for older releases of the PHP runtime and language from three to five years.

Ironically, Zend’s customers were more concerned about security vulnerabilities discovered in older releases of the PHP runtime that the open source community could not be relied on to fix. But the CVE-2013-7266 vulnerability exists only in the newer PHP releases, versions 5.5 and 5.4. PHP version 5.3–an older release that is one of the targets of Zend’s new long-term support program–is not affected by the CVE-2013-7266 vulnerability.

To download the Zend Server version 6.3 Hotfix 1 for IBM i or Windows, go to www.zend.com/en/products/server/downloads.

Congratulations, PHP: You Are Legacy Now

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”¹

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com

Watson Goin’ Mobile, Keeps On Movin’ DB2 For i Scalar Function Performance Considerations

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search