Apple flaws fixed

Security: Threat Alert This newsletter is sponsored by Secure Computing Webinar: Network Security Learn how token-based, one-time password authentication systems can help enterprises reduce business risk, better comply with regulations, are easy to manage and most importantly keep networks secure. Tune in to this webinar. Network World's Security: Threat Alert Newsletter, 11/01/07 Apple flaws fixed By Jason Meserve Today's bug patches and security alerts: iPhone, iPod touch 'jailbreak' app patches critical TIFF bug Hackers have released a tool that "jailbreaks" up-to-date iPhones and iPod touches, but unlike previous such software, doesn't require a Mac or PC as a middleman. The utility also fixed a long-standing vulnerability in the iPhone's and iPod touch's TIFF image-rendering library. That bug, which is shared by Safari, the iPhone's e-mail application and iTunes, had been used to both unlock iPhones and install earlier jailbreak programs. Computerworld, 10/29/07. ********** Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. Apple releases new Xcode Developer Tools A new update to the Xcode Developer tools that fixes flaws in two its underlying code libraries: gdb and WebObjects. The most serious of the flaws could be exploited to run malicious code on an affected machine. Users should download version 2.5 to fix the issues. ********** Attack code out for critical Kodak bug in Windows A hacker has released attack code that could be used to exploit a critical bug in some versions of the Windows operating system. Microsoft patched the flaw, which affects older versions of Windows, on Oct. 9. When the Image Viewer tries to open a maliciously encoded TIFF (Tagged Image File Format) file, it can be tricked into running unauthorized software on the PC. IDG News Service, 10/29/07. Related Microsoft advisory ********** Two new patches from Gentoo: Opera (multiple flaws) OpenSSL (denial of service, code execution) ********** Two new updates from rPath: CUPS (denial of service) Firefox / Thunderbird (multiple flaws) ********** Today's malware news: Storm worm pulls Halloween hoax It wouldn’t be Halloween without the zombie-creating Storm malware up to some mischief. The latest Storm-backed spam campaign invites e-mail recipients to visit a Halloween-themed Web site where they can download a dancing skeleton. What gets downloaded instead is a version of the Storm malware that turns unsuspecting users’ PCs into members of the world’s largest botnet. Members of these botnets are also known as zombies. Network World, 10/31/07. F-Secure: Trick or Treat with Stormy Helloween A new Mac Trojan? Intego is reporting that a new Trojan (OSX.RSPlug.A) is targeting Mac users with the lure of free porn. If a targeted user clicks through all the security warnings, they could end up giving the virus root privileges on an affected machine. Internet researchers discover new hacking service site Security researchers studying the latest Internet crime trends have discovered a new Eastern European Web site that uses a large botnet to infect vulnerable PCs. The operators of the botnet and Web site charge clients for each successful PC infection. CIO, 10/29/07. Fake FTC e-mails contain virus attack Scammers are sending out virus-laden e-mails claiming to have information on complaints filed with the U.S. Federal Trade Commission, the FTC warned Monday. The e-mail appears to come from frauddep@ftc.gov -- a spoofed address -- and it includes a malicious attachment that downloads keylogging software, which is used to steal sensitive information such as passwords and account numbers. IDG News Service, 10/29/07. ********** From the interesting reading department: Spammers employ stripper to crack CAPTCHAs Spammers are using a virtual stripper as bait to dupe people into helping criminals crack codes they need to send more spam or boost the rankings of parasitic Web sites, security researchers said today. Computerworld, 10/30/07. Security by letterhead only for dunderheads And maybe blabbermouths, but definitely dunderheads, says security expert Bruce Schneier after passing along a conversation between a customer and an ISP rep who was demanding that the former submit his domain-name change request on official company letterhead. Network World, 10/31/07 PDF spam back with a vengeance PDF spam, the summertime nuisance that flooded inboxes in early August and then quickly disappeared, is back and worse than ever. Network World, 10/31/07. Audio-spam pitch rode eight-figure Storm wave The Storm Worm botnet network may be shrinking in size, but it has managed to send out 15 million of those annoying audio spam messages in October, according to antispam vendor, MessageLabs. Computerworld, 10/30/07. McAfee buys Web site security company ScanAlert for $51M McAfee will acquire ScanAlert, a Web application security vendor, for $51 million, the companies announced Tuesday. IDG News Service, 10/30/07. TJX data breach affected 94 million cards, banks allege The TJX data breach affected more than 94 million credit and debit card accounts, more than twice the number acknowledged by the big retailer, a group of banks allege in a new court filing.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Networking's 50 greatest arguments 2. Microsoft plots ambitious SOA roadmap 3. Google's social networking power move 4. IT pros share their horror stories 5. Is Fibre Channel dead? 6. Podcast: Real-life scary security stories 7. Attack code for Kodak bug in Windows 8. Cisco certifications: All you need to know 9. Top 20 Firefox extensions 10. Cisco's profits: 5 trends worth watching FEATURED BUYER'S GUDIE: Network Access Control

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Secure Computing Webinar: Network Security Learn how token-based, one-time password authentication systems can help enterprises reduce business risk, better comply with regulations, are easy to manage and most importantly keep networks secure. Tune in to this webinar. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007