Week In Security: PHP Vulnerabilities, Britney Virus

• Security experts warned of multiple vulnerabilities in the PHP scripting language widely used to create dynamic Web pages.

According to the CERT Coordination Center at Carnegie Mellon University, the vulnerabilities in the php_mime_split function could allow attackers to execute arbitrary code with the privileges of the Web server running PHP or to interrupt the Web server's operations. CERT recommends applying patches from software vendors, if available, or upgrading to PHP version 4.1.2. If patches or upgrading aren't options, a user can disable fileupload support, CERT said.

• Pop singer Britney Spears became the latest celebrity used by virus writers. Antivirus vendors reported a new e-mail worm with the subject line, "RE: Britney Pics," and an attachment, "BRITNEY.chm." When executed, the worm sends itself to all addresses in the user's Outlook address book and tries to distribute itself via Internet Relay Chat, according to Sophos, an antivirus software maker. The worm was rated as a low risk by vendors.

• Symantec unveiled the availability of online training resources for its channel partners and customers. Solution providers participating in Symantec's partner program can obtain free, self-paced online sales training. Symantec said it also is rolling out a limited number of online classes for fee-based technical and security solutions training to partners and customers.

• Bodacion Technologies said it will award $100,000 to anyone who can crack the encryption system on its Hydra Internet server. The company, based in Barrington, Ill., issued the challenge at a Web security forum sponsored by the National Security Agency in Washington, D.C. Those who want to participate in the contest can register at: www.bodacion.com/bodacionchallenge.html.

• Sourcefire, a Columbia, Md.-based startup, unveiled the availability of the OpenSnort Management Console, an appliance-based sensor management and intrusion-detection analysis console for the Snort open-source IDS. The product allows for centralized policy and log management of sensors and correlation of events across the network. The console costs $20,000 and an additional $9,995 for each OpenSnort Sensor deployed.