attacker

On Tuesday, Google revealed cyberattacks against it and other U.S. companies. Within two days, security researchers had traced one of the open doors back to Internet Explorer. Microsoft has admitted that a remote code execution (RCE) vulnerability exists in IE.

"Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," said Mike Reavy, Microsoft Security Response Center director.

Dear Action Line: How do I keep track of all the computer software vulnerabilities floating around the Internet? I can't really trust the sellers to keep me informed of their latest glitches and don't see it in the newspaper or on TV. -- H.E., Tulsa.

Two sources of "cyber security news" are US-CERT and Help Net Security.

While IT administrators around the world had their hands full planning to implement the largest-ever set of patches from Microsoft on Tuesday, another software maker quietly rolled out a massive fix of its own.

On what will go down in IT admin history as a day of headaches, Adobe Systems rolled out updates for Acrobat and Reader on Tuesday. The updates address 29 critical security vulnerabilities for the PDF applications, which are used across business and consumer PCs around the world.

Apple released a king-sized security update for Mac OS X on Thursday, a separate fix for its just-released Snow Leopard, and an update to the iPhone operating system. Some of the updates fix problems, but others seem to cause new ones.

Thursday's updates fix 33 vulnerabilities in the Mac OS X Leopard operating system involving third-party applications such as Adobe Flash, Samba, MySQL and PHP. The Leopard update also addresses potential security vulnerabilities in Alias Manager, CarbonCore, CUPS, ColorSynch, ImageIO, Wiki Server, CoreGraphics and Launch Services.

Before the dust even settled on Patch Tuesday, Microsoft confirmed a bug in several versions of its Windows operating system that could leave the door open to malicious hackers. Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

A powerful new type of Internet attack works like a telephone tap, except operates between computers and Web sites they trust.

Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them. If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.

Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical.

Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.

It's Patch Tuesday, but Microsoft didn't discover the latest zero-day vulnerability quickly enough to issue a fix this week. On Monday, Microsoft issued a security advisory about a new vulnerability in the Office Web Components Spreadsheet ActiveX control.

"The vulnerability exists specifically in the Spreadsheet ActiveX Control and could allow an attacker who successfully exploited this vulnerability the same user rights as the local user," advisory said. "We are aware of limited, active attacks attempting to exploit this vulnerability."

Browse and Get Owned

Apple and Microsoft are grappling with bugs this week.

On Wednesday, Apple released an update to Safari. Safari 4.0.2 fixes two bugs in the browser's WebKit. The first bug fixes an issue with the WebKit's handling of parent and top objects that could open the door to a cross-scripting attack if a user visited a malicious Web site.

The second bug is a memory-corruption issue in the way the WebKit handles numeric character references. Apple said visiting a maliciously crafted Web site could lead to the browser shutting down unexpectedly or an attacker executing arbitrary code.

Microsoft has warned of a vulnerability in its Video ActiveX Control that affects Windows XP and Windows Server 2003. The software giant said there have been limited attacks exploiting the vulnerability.

The flaw could be exploited by a visit to a malicious Web site and allow an attacker to take control of a PC. Microsoft said it is working on a security update, and meantime advised that users prevent Microsoft Video ActiveX Control from running in Internet Explorer.