Critical vulnerability identified in PHP; hotfix available

The Zend Company reported today: A critical vulnerability in the PHP engine has just been identified. This exploit is significant because most PHP applications on impacted systems are remotely exploitable to a very simple denial of service attack. Zend has released a security hotfix to address this vulnerability (see below).

Due to the way the PHP runtime handles internal conversion of floating point numbers, it is possible for a remote attacker to bring down a web application simply by adding a specific parameter to a query string in their web browser (click here for more information).

This vulnerability is present on all versions of PHP including PHP 4.x and 5.x, on all Intel-based 32-bit PHP builds.

PlatformVulnerabilityWindowsYESLinux (using 32-bit PHP build)YESLinux (using 64-bit PHP build)NOMac OSNOIBM iNO
Zend Server and Zend Server CE users should immediately apply the security hotfix.

• Linux users: run your package manager’s update command (see the Zend Server Installation Guidefor more details).
• Windows users: download the hotfix.

Hotfixes for Zend Core and Zend Server CE tarball installer are currently being finalized and will be made available soon.