Since nobody answer this question, let me to be honest. I am not sure whether all security threats already addressed in v1.6 RC4, cause I have not tested whether any security-hole still be opened or not.
Basically, set register_global directive to OFF is recommended. At least, this is what php.ini said:
You should do your best to write your scripts so that they do not require register_globals to be on. Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of.
Best regards,
Masino Sinaga