Is Reputation restored from a Backup? Don't think so! Nor do I, so read on PHP – Part 2: the drawing back of the wave
by David Dwyer on 01/12/2018 214 Reads
Before you read this article let me ask you a question “Is Reputation restored from a Backup?” If you believe the answer to be no, then read on.
The most commonly deployed version of PHP, 5.5 and 5.6 will no longer receive any support or updates from December 2018. At the time of writing it is only receiving critical security updates. From December even that ends. Think on that a moment – one of the bedrocks of the web as we know it will shortly be unsupported and unprotected. What does that mean for all of us who rely on the web for business & leisure? Remember the tsunami analogy from Part 1? At this point you’re looking at the shore wondering where the water has gone and if this might suggest that something bad is about to happen...
If you want much more info about this then read on...
Having introduced you to PHP in Part One, in this piece we are going to look into PHP in a little more depth because, without the necessary detail, it will be harder to grasp the importance of the changes that are coming, and more importantly, how they could affect you and your business.
Bear with us, we know the next bit is techy, but it’s relevant and you’ll understand the background better.
PHP is an open-source development language, distributed free under the BSD-style (Berkeley Software Distribution) licence. We will be writing in greater detail about open-source software in another Insight but suffice to say that you can develop PHP-related software and freely distribute it but you are discouraged from including the term ‘PHP’ in the name of your product.
As we explained previously, this, along with the sheer utility of PHP, has meant that it has spread far and wide and underpins the vast majority of web deployments. This reliance is crucial to our story and the importance of future events.
Ok, what does it do?
The most common use of PHP is to access a database, parse the results from that database, and display the results on a web page. This is why PHP is the final part of the common acronym "LAMP", which stands for "Linux, Apache, MySQL, and PHP". A LAMP installation is one of the most common configurations for a web server and combines the powerful Apache web server with PHP and MySQL to allow for amazingly robust web pages and data management. In fact, these tools are frequently tuned to work together with little to no additional configuration.
PHP also has the capability of being embedded directly into a web page or being used from the command line, making it a powerful tool that can handle anything from displaying information pulled from a database to performing system tasks in a scheduled manner.
Fascinating! Wonderful!! So what?
Well, the key word above is ‘powerful’. PHP is powerful and part of the reason for that is that it runs with administrator privileges. It has to in order to do what it does but that means that should it be hijacked then an intruder has an equally powerful tool in their hands.
There are a number of known PHP vulnerabilities and many of them have been addressed, but attacks such as Remote Code Execution (RCE) should keep anyone one their toes.
“RCE attacks exploit weaknesses in PHP code which allows another, hostile, piece of code to be executed by the server.”
Not all vectors of attack relate to PHP and this article only references one such example. Suffice to say there are enough to keep you awake at night.
Almost more damaging is the chance that such an attack is made public; you can’t simply restore reputation from a backup.
Many of these issues have been addressed within PHP, however you cannot assume that all is therefore well. Some of the weaknesses arise as a result of coding mistakes, some are inherent to certain versions of PHP. If you follow that link you may be forgiven for thinking all is utterly lost. It isn’t – such bug lists are common to all major software, but it does give you an idea of how extensive such issues can be.
Issues like these are not exclusive to PHP, as mentioned pretty much all major software developments suffer from occasionally serious problems. One of the highest profile problems recently was the WannaCry ransomware attack against Windows computers. WannaCry exploited a weakness in the Windows SMB (Server Message Block) protocol, the irony being that the update to resolve this weakness had been distributed by Microsoft some weeks previously. There is probably a whole article about why people and organisations don’t apply critical updates in a timeous matter, but that’s for another time. Suffice it to say that a failure to update systems cost some users a lot of grief and money.
What has Windows got to do with PHP, or WannaCry for that matter? The key fact, beyond the story itself, is that Windows is a heavily supported system. Microsoft are not faultless where updates are concerned but they do produce them, and they do distribute them. It was client failure that allowed Wannacry to propagate. Further, Wannacry was a weaponised hack – it is alleged that it was developed by a nation state and released into the wild by another nation state, whereby cyber criminals somehow got access to it.
That’s three potentially major issues right there:
The most commonly deployed version of PHP, 5.5 and 5.6 will no longer receive any support or updates from December 2018. At the time of writing it is only receiving critical security updates. From December even that ends. Think on that a moment – one of the bedrocks of the web as we know it will shortly be unsupported and unprotected. What does that mean for all of us who rely on the web for business & leisure? Remember the tsunami analogy from part 1? At this point you’re looking at the shore wondering where the water has gone and if this might suggest that something bad is about to happen...
We’ll cover that in the next part of this Insight.
If you have any questions regarding your website or would like to discuss how Inspire can help you build the web presence your business deserves, contact us. We will be happy to discuss even the arcane minutiae of web building and design!
Cyber Security, Cyber Security Vulnerabilities, PHP, Security, Website Support, Website Vulnerabilities