Patches from Adobe, Apple, Skype and more

Spotted in the Wild: Rogue Microsoft Update Site Consumer group slams RealPlayer as 'badware', and other interesting reading

Adobe fixes undisclosed vulnerabilities in Reader
Adobe released on Wednesday an update that fixes vulnerabilities in its widely used Reader document viewing program. Users are urged to upgrade to Version 8.1.2, available for download on Adobe's Web site. IDG News Service, 02/06/08.
**********

Skype plugs critical cross-zone scripting hole
Skype Tuesday patched a critical vulnerability that forced it to dump several features from its VoIP and chat software to prevent attackers from hijacking Windows PCs. Users can download the patched Skype -- Windows Version 3.6.0.248 -- from the service's Web site.
**********

Attackers zero in on Yahoo Jukebox ActiveX flaw
Just one day after hackers showed how to exploit a number of flaws in the ActiveX software used by Internet Explorer, Symantec has spotted online criminals using one of the attacks.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Adobe fixes undisclosed vulnerabilities in Reader
Adobe released on Wednesday an update that fixes vulnerabilities in its widely used Reader document viewing program. Users are urged to upgrade to Version 8.1.2, available for download on Adobe's Web site. IDG News Service, 02/06/08.
**********

Skype plugs critical cross-zone scripting hole
Skype Tuesday patched a critical vulnerability that forced it to dump several features from its VoIP and chat software to prevent attackers from hijacking Windows PCs. Users can download the patched Skype -- Windows Version 3.6.0.248 -- from the service's Web site.
**********

Attackers zero in on Yahoo Jukebox ActiveX flaw
Just one day after hackers showed how to exploit a number of flaws in the ActiveX software used by Internet Explorer, Symantec has spotted online criminals using one of the attacks.

Symantec Security Response blog: That Didn’t Take Long! Unpatched Yahoo Vulnerability being Exploited in the Wild
**********

Apple patches QuickTime and iPhoto
Apple has fixed a heap overflow in QuickTime that could be exploited to run code when users visit a malicious Web site. QuickTime users should upgrade to Version 7.4.1. The company also repaired a format string vulnerability in its popular iPhoto application. Attackers could exploit the flaw to run malicious code on an affected machine. Users should upgrade to iPhoto 7.1.2.

QuickTime advisory

iPhoto advisory
**********

Four new patches from rPath:

gd (buffer overflow, code execution)

icu (denial of service, code execution)

MySQL (multiple flaws)

xorg-x11 (multiple flaws)
**********

Two new updates from Ubuntu:

Apache (multiple flaws)

PulseAudio (privilege escalation)
**********

Five new fixes from Debian:

gnatsweb (code injection)

net-snmp (denial of service)

squid (denial of service)

CherryPy (denial of service)

Poppler (multiple flaws)
**********

Three new patches from Mandriva:

CUPS (multiple flaws)

ImageMagick (multiple flaws)

emacs (multiple flaws)
**********

Two new fixes from Gentoo:

Doomsday (multiple flaws)

SDL_image (buffer overflows, code execution)
**********

Today's malware news:

Spotted in the Wild: Rogue Microsoft Update Site
Watch out for this one. It's not the real Microsoft Update site. F-Secure blog, 02/06/08.

Storm worm dethroned by sex botnet
Romance is out and sex is in, according to security experts who said the Mega-Dik botnet has ousted the infamous Storm as the most prolific sender of spam. The Mega-D botnet, which offers discounted sexual enhancement pills to users, delivers a whopping 30% more spam than Storm, famous for delivering malicious Valentines cards. Computerworld, 02/04/08.
**********

From the interesting reading department:

Consumer group slams RealPlayer as 'badware'
A consumer advocacy group is blasting RealNetworks for installing adware and other software without properly notifying its users. In a report published Thursday, StopBadware.org faults the latest version of RealPlayer for secretly installing its Rhapsody Player Engine during the RealPlayer installation. IDG News Service, 02/04/08.