Microsoft pushes Messenger security upgrade

Security: Threat Alert This newsletter is sponsored by Quantum Data de-duplication whitepaper Meet regulatory data storage demands without breaking the bank. Discover what data de-duplication can do for you. Network World's Security: Threat Alert Newsletter, 09/17/07 Microsoft pushes Messenger security upgrade By Jason Meserve Today's bug patches and security alerts: Microsoft to push mandatory Messenger upgrade Microsoft will force users of its aged MSN Messenger instant messaging software to upgrade to Windows Live Messenger 8.1 in response to a vulnerability in the older program that was made public Tuesday. According to a blog post by a Microsoft security program manager who identified himself only as "Anand," the instant messaging service will require users to update to the safe Live Messenger 8.1. Computerworld, 09/14/07. ********** Network World Security Buyer's Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyer's Guide now. Year-old QuickTime bug gives hackers new drive-by attack A year-old bug in QuickTime that, when paired with Firefox, allows hackers to hijack PCs and Macs now has Mozilla Corp. scrambling for a fix, the company's chief security officer said yesterday. According to Petko Petkov, a U.K.-based Web application penetration tester, the current version of QuickTime contains a flaw in its Media Link (.qtl file formats) function. Any file with a QuickTime-supported extension -- there are more than 60 -- will be parsed by Apple Inc.'s media player. However, because it fails to sanitize the XML content, an attack can sneak links to malicious JavaScript into the file and get QuickTime to run it. ********** Four new updates from rPath: openssh (untrusted cookies) xorg-x11 (buffer overflow, code execution) Samba (privilege escalation) httpd (denial of service) ********** Four new patches from Mandriva: Quagga (denial of service) librpcsecgss (buffer overflow, code execution) Qt (buffer overflow, code execution) id3lib (denial of service) ********** Eight new fixes from Gentoo: id3lib (denial of service) Eggdrop (buffer overflow) flac123 (buffer overflow, code execution) RealPlayer (buffer overflow, code execution) po4a (symlink flaw) Streamripper (buffer overflow, code execution) KVIrc (remote code execution) MIT Kerberos 5 (multiple flaws) ********** Today's malware news: Peacomm spam finally 'gets right to the point' Peacomm samples - the so-called Storm worm - started sending unusual spam yesterday. For once, the mail did not contain a hard-coded IP address linking to fake videos, pseudo Tor clients or NFL "tracker programs". Symantec Security Response, 09/14/07. Hacked GOP site infects visitors with notorious bot-making malware A Republican Party Web site has been hacked, and for some time it has been spreading a variation of the long-running Storm Trojan horse to vulnerable visitors, a security researcher said today. Computerworld, 09/14/07. Storm Games The latest tactic from Storm Worm: e-mails with links to a fake gaming site. F-Secure Weblog, 09/16/07. Would You Like Some Quechup With Your Spam? A fair number of bloggers and readers have complained of being duped into handing over the e-mail and instant messaging addresses of their friends and family to a new social-networking site called "Quechup," which tends to welcome new members by spamming everyone who is close to them. Security Fix blog, 09/13/07. ********** From the interesting reading department: E-commerce, security issues challenge network firewall role E-commerce, security issues challenge network firewall roleLife behind the network firewall sometimes feels like life behind bars when it comes to today’s collaborative e-commerce, which requires the opening of corporate networks to business partners. The Jericho Forum, the organization out to convince corporate executives and the security industry that they need to devise security options less dependent on a perimeter defense such as traditional firewalls, displayed its growing clout this week in a conference that attracted top design architects from Microsoft and Oracle and large end-user companies. Network World, 09/13/07. Online thugs assault security help sites The good guys are taking a hit in the ongoing online war between the thugs who profit from phishing and malware, and those who work to stop them. PC World, 09/12/07. Sophos: St. Petersburg consulate Web site was hacked Security vendors are warning that two U.S. Department of State Web sites based in Russia could contain malware and should be avoided. The most serious compromise was on the Web site for the U.S. Consulate General for St. Petersburg. About a week ago, researchers at Sophos discovered that the site had been hacked and was apparently serving up malicious software to visitors. IDG News Service, 09/13/07. Malware hunters tame wild Webmasters, hosts If hijacked sites and hosting companies that fail to police malware distribution sources represent two of the most serious threats to Internet security, there may be hope for improvement, according to researchers working with Harvard Law School's StopBadware.org. Computerworld, 09/14/07. Names, contact info on 6M TD Ameritrade customers compromised Brokerage firm TD Ameritrade Holding today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases. Computerworld, 09/14/07.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. What 'The Sopranos' taught me about tech 2. 10 IT management software companies to watch 3. Does 802.11n spell the end of Ethernet? 4. Google wants into the car business 5. NTP sues Verizon, AT&T, Sprint and T-Mobile 6. Meet the other Ciscos 7. TJX data criminal gets 5 years 8. Internet domain name outlaw faces 20 years 9. IBM uses Microsoft code in open-source effort 10. AT&T going orange? Color me puzzled MOST DOWNLOADED POCAST: Twisted Pair: Apple's gadgets give us the warm fuzzies

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Quantum Data de-duplication whitepaper Meet regulatory data storage demands without breaking the bank. Discover what data de-duplication can do for you. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007