On Patch Tuesday Eve, a number of patches from major vendors

Patches from Symantec, Apple, Cisco, CA, Adobe, others Sophos warns against iMunizator 'scareware' Hackers tuck attack code into U.K. government site, and other interesting reading

Symantec confirms ActiveX bugs in its own consumer software
Symantec Corp. has confirmed flaws in its most popular consumer security software that could give attackers the means to hijack the Windows PCs that the programs are supposed to protect. The vulnerabilities are in an ActiveX control that ships with several products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360. Computerworld, 04/04/08.

Symantec advisory
**********

Apple plugs QuickTime with 11 patches
Apple released 11 patches for its QuickTime multimedia program on Wednesday, fixing a variety of problems that could allow a hacker to execute malicious code on a machine. IDG News Service, 04/03/08.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Symantec confirms ActiveX bugs in its own consumer software
Symantec Corp. has confirmed flaws in its most popular consumer security software that could give attackers the means to hijack the Windows PCs that the programs are supposed to protect. The vulnerabilities are in an ActiveX control that ships with several products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360. Computerworld, 04/04/08.

Symantec advisory
**********

Apple plugs QuickTime with 11 patches
Apple released 11 patches for its QuickTime multimedia program on Wednesday, fixing a variety of problems that could allow a hacker to execute malicious code on a machine. IDG News Service, 04/03/08.

Apple advisory

Related:

US-CERT: Apple Updates for Multiple Vulnerabilities
**********

Cisco patches Unified Communications Disaster Recovery Framework
A command execution vulnerability in the Cisco Disaster Recovery Framework affects a number of products in the Cisco Unified Communications family. Attackers could exploit the flaw to run malicious code or gain full administrative access. A free update is available.
**********

CA patches ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite
According to CA, "CA ARCserve Backup for Laptops and Desktops Server contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code or cause a denial of service condition."

CA fixes Alert Notification Server
According to CA's advisory, "CA Alert Notification Server service contains multiple vulnerabilities that can allow a remote authenticated attacker to execute arbitrary code or cause a denial of service condition."
**********

Adobe claims it knew of 'Pwn to Own' bug
Security researchers at Adobe Systems Inc. claimed that they knew of a Flash bug before it was used to crack a Windows Vista laptop last week in the "Pwn to Own" hacker challenge. Late yesterday, Adobe also said it had fixed the flaw and would patch the problem this month. Computerworld, 04/03/08.

Adobe "pre advisory"
**********

April to be another big Microsoft security patch month
Microsoft plans to release eight security updates next Tuesday, five of which are rated critical by the software vendor. The critical patches affect Windows, the VBScript programming software, Microsoft Project and Internet Explorer, which will get two updates. They will be released as part of the company's monthly software update cycle, which mandates security updates on the second Tuesday of each month. IDG News Service, 04/03/08.

Microsoft advisory
**********

Three new updates from rPath:

gnome-ssh-askpass (privilege escalation, code execution)

tshark (denial of service)

CUPS (buffer overflow, code execution)
**********

Two new fixes from Ubuntu:

CUPS (buffer overflow, code execution)

OpenSSH (connection hijack)
**********

Three new patches from Debian:

mapserver (multiple flaws)

alsaplayer (buffer overflow)

xpdf (multiple flaws)
**********

Two new fixes from Gentoo:

OpenSSH (privilege escalation)

bzip2 (denial of service)
**********

Today's malware news:

Sophos warns against iMunizator 'scareware'
Calling it a Trojan horse, security firm Sophos has warned Mac users against downloading and using a Mac OS X application called "iMunizator," calling the software "scareware." Mac World, 04/02/08.

Sophos advisory

The Hunt for File Format Vulnerabilities
We have been seeing several vulnerabilities of non executable file formats used in the wild recently. For example, we can mention the Trojan.Mdropper.AA family that exploits a bug in a Microsoft Excel file format, or the case of the MSJET vulnerability (still unpatched) that affects MS Access files. The hunt for new vulnerabilities in popular file formats is still a good research area in the security world, especially when we talk about malicious code writers. Symantec Security Response blog, 04/04/08.

Ms. Polinka wants your bank account
There's been a banking trojan spam run in four European countries this morning. The targeted countries are The Netherlands, Switzerland, Latvia and Finland. F-Secure blog, 04/04/08.
**********

From the interesting reading department:

Hackers tuck attack code into U.K. government site
A Welsh government Web site has been hacked to serve up malicious JavaScript, a sign that the spate of attacks first spotted last month are continuing, analysts from security vendor Sophos warned Friday. IDG News Service, 04/04/08.

Number of viruses to top 1 million by 2009
The total number of viruses will reach 1 million by year-end, according to security experts. Malware writers have been forced to create new types of viruses and exploits more regularly as businesses and individuals improve security practices, the experts said. Computerworld, 04/05/08.

Failure to patch flaw exposes data on 60,000 at Antioch
Windows systems may be the most frequently attacked by malicious hackers, but they certainly are not the only targets. Serving as the latest reminder of that fact is Antioch University, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server. Computerworld, 04/05/08.

Companies struggle as Safari pops up on networks
Network administrators are complaining that Apple's recent decision to offer users its Safari Web browser as part of an iTunes and QuickTime update has made their lives harder, as they struggle to remove the software from PCs on their networks. IDG News Service, 04/04/08.

Men fall harder than women for Internet fraud, study finds
When it comes to being taken in by Internet fraudsters, men have a knack for losing cash, according to a new report from the Internet Crime Complaint Center. IDG News Service, 04/03/08.

April State of Spam Report
The April State of Spam Report is out today and its findings show that spam levels bounced even higher, averaging 81 percent of all email in March and peaking at all-time highs of nearly 88 percent. Symantec Security Response blog, 04/03/08.