Microsoft patches critical bugs in Windows graphics system
Microsoft issued a critical patch for two vulnerabilities in the core graphics subsystem of Windows, one of eight fixes released Tuesday as part of its monthly security updates. IDG News Service, 04/08/08.

Microsoft advisories:

Vulnerability in Microsoft Project Could Allow Remote Code Execution

Vulnerabilities in GDI Could Allow Remote Code Execution

Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution

Security Update of ActiveX Kill Bits

Cumulative Security Update for Internet Explorer

Vulnerability in DNS Client Could Allow Spoofing

Vulnerability in Windows Kernel Could Allow Elevation of Privilege

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution

Related:

US-CERT: Microsoft Updates for Multiple Vulnerabilities
**********

Adobe fixes seven flaws in Flash Player
Adobe has upgraded its Flash Player to fix seven vulnerabilities in the graphics and video software widely used for interactive Web pages and banner advertisements. Adobe classifies the patches as "critical" and advises people upgrade to the latest version, 9.0.124.0. All of the vulnerabilities could allow a hacker to execute code on a machine. IDG News Service, 04/09/08.

Adobe advisory

US-CERT Advisory: Adobe Flash Updates for Multiple Vulnerabilities
**********

Five new updates from Debian:

pdns-recursor (cache poisoning attack)

vlc (multiple flaws)

libcairo (integer overflow, code execution)

openldap2.3 (multiple flaws)

lighttpd (denial of service)
**********

Four new patches from Gentoo:

PECL APC (buffer overflow, code execution)

UnZip (double free flaw, code execution)

NX (multiple flaws)

MySQL (multiple flaws)
**********

Today's malware news:

Kraken, Not New But Still Newsworthy?
There's recently been quite much fuss about a botnet of spam trojans dubbed Kraken. There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most vendors in the industry have been wondering about the numbers, which seem to be a bit bloated when taking a look at received samples. F-Secure blog, 04/09/08.

Symantec: Kraken to Surpass Storm

New attack kit targets bag of ActiveX bugs
Hackers are using a new multiple-attack package composed of seven ActiveX exploits, many of them never seen in the wild before, said a security company on Friday. Fewer than half of the flawed ActiveX controls have been patched. Computerworld, 04/07/08.
**********

From the interesting reading department:

Video: Bluefire protects mobile devices against attack
In a rather chilling demo with Bluefire Security Technologies, Keith finds out how easy it is for someone to attack a mobile device. Network World, 04/09/08.

Podcast: How the FCC's 700mhz auction could open the door for mobile malware
Threats to mobile devices today mostly take the form of a lost or stolen device containing sensitive information. But the recent 700mhz spectrum auction, which requires open access in some blocks, could pave the way for more malware on your smartphone. Jeff Ailiber and Tom Bowers of Kaspersky Lab talk about the potential threat and what can be done to protect your mobile device. (11:00)

10 security threats to watch for
There are lots of ways business networks can be compromised, and more are developing all the time. They range from technology exploits to social engineering attacks, and all can compromise corporate data, reputation and the ability to conduct business effectively. Network World, 04/09/08.

Experts hack power grid in no time
Basic social engineering and browser exploits expose electric production and distribution network. Network World, 04/09/08.

Malware count blows past 1M mark
Symantec Corp.'s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Computerworld, 04/08/08.

Microsoft releases public beta of security console
Microsoft on Tuesday released the first public beta of a centralized management console that will pull together administrative tasks around its collection of Forefront security software for clients, servers and the network edge. Network World, 04/09/08

RSA - Chertoff: DHS project will lock down federal computers
U.S. Homeland Security Secretary Michael Chertoff said his agency is working on a "reverse Manhattan Project" to help secure the federal government's computer systems. IDG News Service, 04/08/08.

HP admits to selling infected flash-floppy drives
Hewlett-Packard Co. has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Computerworld, 04/07/08.

Jason Meserve is multimedia editor at Network World.