malicious Web site

The recent hacking attack that prompted Google's threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws -- and renewing debate over buying and selling information about them in the black market.

Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of "zero day" security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.

It's Patch Tuesday, but Microsoft didn't discover the latest zero-day vulnerability quickly enough to issue a fix this week. On Monday, Microsoft issued a security advisory about a new vulnerability in the Office Web Components Spreadsheet ActiveX control.

"The vulnerability exists specifically in the Spreadsheet ActiveX Control and could allow an attacker who successfully exploited this vulnerability the same user rights as the local user," advisory said. "We are aware of limited, active attacks attempting to exploit this vulnerability."

Browse and Get Owned

Microsoft plans to combat Internet attacks under way by plugging three critical Windows security holes in next week's Patch Tuesday. Apple also fixed some bugs with an update to its Safari Web browser.

One of the Patch Tuesday updates will plug a zero-day vulnerability within Microsoft TV Technologies that can be exploited through Internet Explorer. Microsoft TV Technologies is an ActiveX control that comes with Windows XP and is installed by default.

Apple and Microsoft are grappling with bugs this week.

On Wednesday, Apple released an update to Safari. Safari 4.0.2 fixes two bugs in the browser's WebKit. The first bug fixes an issue with the WebKit's handling of parent and top objects that could open the door to a cross-scripting attack if a user visited a malicious Web site.

The second bug is a memory-corruption issue in the way the WebKit handles numeric character references. Apple said visiting a maliciously crafted Web site could lead to the browser shutting down unexpectedly or an attacker executing arbitrary code.

Microsoft has warned of a vulnerability in its Video ActiveX Control that affects Windows XP and Windows Server 2003. The software giant said there have been limited attacks exploiting the vulnerability.

The flaw could be exploited by a visit to a malicious Web site and allow an attacker to take control of a PC. Microsoft said it is working on a security update, and meantime advised that users prevent Microsoft Video ActiveX Control from running in Internet Explorer.

It's an unfortunate reality, but attackers can wreak havoc with your cell phone or PDA by taking advantage of the very features that make your life more convenient.

For example, attackers can spam you with text messages that may result in extra charges or infect your devices with malicious code that allows them to use your service. Attackers who gain control of your service may use your device to attack others.

The U.S. Computer Emergency Readiness Team (www.us-cert.gov) recommends the following steps to protect your portable devices:

The Internet remains vulnerable to exploits of a critical security flaw in the Domain Name System, a Russian programmer demonstrated last week. Writing on his blog on Friday, Evgeniy Polyakov posted that he had succeeded in getting patched DNS software to return an incorrect location in less than 10 hours.

His work shows that DNS patches, which had appeared to solve the immediate problem, are insufficient.

Cache Poisoning

Microsoft has officially responded to the discovery of a "blended threat," the design of Safari that allows a malicious Web site to download and clutter the user's download space with a myriad of unwanted files. This is the so-called "Carpet Bomb" effect.

While Microsoft's Security Response Center is working on the problem with Apple and is not calling it a vulnerability of either Windows or Safari, they have issued a security advisory which provides guidance to Windows customers to restrict their use of Safari until an update is available from either Apple or Microsoft.