iPhone 2.0 includes critical security fixes
Apple fans who bought their iPhones before Friday's splashy iPhone 3G rollout have a new reason to upgrade their software: It's buggy. Apple disclosed Friday that the iPhone 2.0 software, which can be downloaded by users of the previous-generation iPhone, fixes some bugs in the browser and networking software in that earlier device. Some of the browser bugs are serious and could give attackers a way to sneak malicious software onto the iPhone. IDG News Service, 07/11/2008.

Apple advisory

Apple updates Xcode tools
Apple has fixes a couple of flaws in its Xcode tools release 3.1. One flaw could be exploited through a malicious file being opened. A second could result in system information being disclosed.

Apple patches AppleTV
A new update for Apple AppleTV platform fixes a number of flaws in the platform's operating system. The vulnerabilities, which could be exploited by opening a maliciously crafted file, could result in a denial-of-service attack against or malicious code being run on the device.
**********

Microsoft fixes month-old WSUS patch snafu
Microsoft Corp. yesterday issued a fix for a flaw that had blocked users from grabbing security patches through Windows Server Update Services (WSUS) for several weeks. Computerworld, 07/10/2008.

Microsoft addresses ZoneAlarm patch snafu
Microsoft is re-issuing one of its advisories from this week's Patch Tuesday after some ZoneAlarm users complained they had dead Internet connections after installing the fix. Network World, 07/10/2008.
**********

US-CERT highlights Java updates
According to the US-CERT advisory, Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code."
**********

Developer fixes 33-year-old Unix bug
An OpenBSD developer has discovered and fixed a bug in the software that has been traced back to an AT&T version of Unix from 1975. The latest bug, which affected the yacc parser generator, followed the May discovery of a BSD flaw that was 25 years old. TechWorld, 07/10/2008.
**********

Oracle to release 45 security patches Tuesday
Oracle will release 45 critical security fixes on Tuesday, the company announced Thursday. Among the affected products are Oracle's database; its TimesTen in-memory database; Oracle Application Server; a number of PeopleSoft Enterprise products; Oracle Enterprise Manager Database Control; E-Business Suite; and WebLogic Server, which it acquired by purchasing BEA Systems. There are no new patches for Oracle's J.D. Edwards products. IDG News Service, 07/10/2008.
**********

Four new patches from Mandriva:

openldap (denial of service)

pidgin (integer overflow, code execution)

ruby (multiple flaws)

openoffice.org (integer overflow, code execution)
**********

Two new fixes from Debian:

iceweasel (multiple flaws)

poppler (code execution)
**********

Four new updates from Gentoo:

BIND (DNS cache poisoning)

NX (multiple flaws)

Apache (denial of service)

OpenOffice.org (integer overflow, code execution)
**********

Today's malware news:

Homer Simpson and the Kimya Botnet
The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message... yes, "Homer" has seemingly returned, and he comes bearing infection files! The SpywareGuide Greynets Blog, 07/11/2008.
**********

From the interesting reading department:

Internet Rebooted Over DNS Fixes
We’ve all been aflutter over the past few days, wild with speculation as to the attack in this vulnerability note: Multiple DNS implementations vulnerable to cache poisoning (via CERT/CC). Disclosed on Tuesday (and patched by Microsoft in MS08-037, patched by BIND, by a whole host of vendors) the attack can lead to cache poisoning. Security to the Core, 07/11/2008.

Patch domain name servers now, says DNS inventor
Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now. Computerworld, 07/10/2008.

Bye Bye Bandwidth?
Everyone knows that in a matter of hours, hype can turn a small event into something much larger in the minds of society. Enter the latest round of malicious spam we have seen here at Symantec-the death of the Internet. Symantec Security Response, 07/11/2008.

I'd Buy That for $10
On underground economy servers, criminals sell a variety of illegal goods and services including bank account credentials, credit card numbers, and full identities. Typically, these goods are used for identity theft related activities. In the ISTR XIII, Symantec observed that the cost of a full identity was 10 times cheaper than it was at the beginning of 2007 and has gained in popularity to become the number three top ranked item advertised for sale. Symantec Security Response, 07/11/2008.

Jason Meserve is multimedia editor at Network World.