A highly critical vulnerability in Windows has been discovered, and Microsoft has promised to address the issue, either with the regularly scheduled "second-Tuesday of the month update" on January 10th, or by releasing an out-of-cycle security update before that date. The issue involves the way Windows and Internet Explorer handle Windows Metafile files (.wmf). While the folks in Redmond ponder when to release a fix, black-hat hackers are beginning to write and distribute exploits based on the vulnerability. The United States Computer Emergency Readiness Team (CERT) has issued a security alert, and antivirus software organizations, including Microsoft, are updating their virus definitions to detect the exploits.

A variant of this year's Sober worm, known as Sober X, Y or Z depending on the security organization defining it, has begun to spread rapidly, and once activated on a user's Windows system, it can lead to data theft, can disable existing virus protection and prevent network connectivity to online security organizations, such as Symantec and McAfee. Some organizations, F-Secure among them, have classified this worm as amongst the most serious.  The worm arrives via an attachment to an e-mail correspondance, and sometimes arrives as an e-mail from the FBI or the CIA. Once installed, it generates a message box indicating that, "No Viruses, Trojans or Spyware found!"

As usual, avoid opening unrequested attachments from unknown sources.

After running a Windows rootkit detector on one of his computers a few weeks ago, Mark Russinovich's testing revealed the presence of hidden software on his system, the details of which he published to his blog, and Sony's secret wasn't anymore. The software, digital rights management (DRM) software, is installed if a user wishes to listen to recently released albums published by Sony on their Windows systems. The questionable tactics behind the installation of the "poorly written", hidden software has managed to get Sony sued in California and, perhaps, New York, along with a potential impending customer backlash.

Now, a trojan has surfaced in the wild that makes use of the software's ability to mask itself. The trojan, which must be run to have any effect, is delivered via email, most recently with the subject "Photo Approval Deadline". According to the Sophos analysis, "Troj/Stinx-E connects to one of several IP addresses and runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run Troj/Stinx-E copies itself to <System>\$sys$drv.exe.  Troj/Stinx-E can be instructed to delete, execute, and download and execute files."

Mac OS X is not affected.

The time it takes for a vulnerability to be exploited after details of the vulnerability is disclosed is rapidly shrinking.  After Microsoft addressed issues in Microsoft Windows 2000, and other components with a patch earlier this month, black hat hackers had working exploits of the vulnerabilities less than one day after the patch was released, resulting in this month's worm variates, "Zotob", "Bozori, and others. 

The time it takes for nefarious coders to release a dangerous worm or virus after a vulnerability is announced is rapidly shrinking on the Microsoft Windows side of the isle.  In an article published yesterday, Jason Miller from SecurityFocus says that this delay in addressing announced vulnerabilities in the open source components of Mac OS X is a recipe for a dark future unless Apple can quickly respond to emerging vulnerabilities within the open source components of the operating system software, however, "[t]he one thing that [Mac] OS X does have going for it is a solid foundation, so we can be reasonable sure that it won't face the quantity and severity of vulnerabilities that we've seen littered within Windows. But there will be vulnerabilities, and some of them will be severe, and with the current patching speed for OS X, this paints a pretty scary picture."

A combination of critical vulnerabilities in Microsoft's Internet Information Services 5.0 web sever product and Internet Explorer is resulting in widespread infection from a snippet of Javascript.  Apparently a number of popular web sites using IIS to serve web pages have been infected, in turn, infecting visitors to those web sites who are using vulnerable versions of Microsoft's Internet Explorer browser.  Microsoft has published a "What You Should Know About Download.Ject" page, and urges system administrators who are using IIS to apply update 835732 in order to avoid their server becoming infected.  Symantec and F-Secure have published information regarding this worm, including the suggestion that a Trojan called "padodorw" can be installed on a compromised system.  Administrators using Apache to serve web pages, including TechSplanations, are not vulnerable to this exploit.

UPDATE 6/25 7:20 PM: Infection doesn't seem to be as widespread as originally reported, as the site containing the infectious code is no longer accessible.

Symb/Cabir-A is thought to be the first worm that targets a mobile phone. The anti-virus company Sophos described the worm as using Bluetooth as a method of transmitting itself to other phones.  The worm, apparently designed as a proof-of-concept, does no real damage. Finnish anti-virus company F-Secure offers a method of protection.

A couple of recently discovered vulnerabilities in Internet Explorer 6 for Windows can, in combination with other known vulnerabilities, allow malware to be executed, even on a fully up-to-date system.  The vulnerabilities, which require a user to visit a malicious web site, can be exploited by individuals to compromise a system and install unwanted software through the use of Active Scripting.  According to the security organization Secunia, ways to avoid this exploit is to visit only trusted websites, or to completely deactivate Active Scripting in Internet Explorer 6.  Secunia has rated this vulnerability as extremely critical

An undocumented backdoor/administrative login vulnerability in the Netgear WG602 wireless access point has been discovered.  While it is still unclear who or what organization inserted the vulnerability, it may have been implemented by a Taiwanese vendor of network devices, Z-Com.  Some users of the device report that the latest version of the firmware, 2.0rc5, may fix the vulnerability.

The Korgo virus and numerous variants are beginning to infect vulnerable Windows systems.  After its initial detection on May 24th, the virus has been spreading rapidly and it appears this virus acts as a key recorder, recording keystrokes and transmitting this data via an Internet Relay Chat (IRC) connection.  The virus and its variants exploits a vulnerability present in nearly every version of Windows.  The vulnerability was patched with Microsoft's May Software Update release.  To make sure you have this update installed, visit Microsoft's Software Update web page. Virus and security organization F-Secure is rating this virus as a Level 2 threat.

Secunia Security is reporting this morning that a highly critical vulnerability has been discovered in QuickTime 6.x and iTunes 4.x; eEye Digital Security reports that a bug exists in Apple's QuickTime code that can allow arbitrary code to be executed on a compromised system.  An exploit would likely come in the form of a specially crafted QuickTime movie.  Apple has, apparently, acknowledged the vulerability and has indicated that a successful exploit would only cause the application to quit.  Update to QuickTime 6.5.1 to resolve this vulnerability.

Late last week, a new worm, Sasser, began spreading to vulnerable Windows systems.  This worm, based on a Windows vulnerability that was patched by Microsoft less than three weeks ago, could begin infecting more systems on Monday morning, as home users return to work.  This weekend, a varient worm has appeared and now it seems at least two versions of the worm are now in the wild.  These worms can be removed by tools (Symantec | F-Secure | McAfee) provided by anti-virus and security organizations and Windows users who have installed this month's update from Microsoft are not vulnerable to this particular worm.  It is recommended that the system be updated before the worm is removed.  F-Secure is rating this worm as a Level 2 threat.

Intego, a creator of Macintosh security products, announced today the existance of the first known Trojan Horse for Mac OS X. This malware comes in the form of executable code embedded within the metadata tag of an .mp3 file; it is a Trojan Horse that has the potential to change or delete a user's files and can, ostensibly, infect other files such as mp3, jpeg, gif and Quicktime files. At this point, it doesn't appear this particular Trojan Horse, named MP3Virus.Gen, is spreading very rapidly. Orignially, this Trojan Horse appeared simply as a proof-of-concept and does little, if any, actual damage.

It is unclear, as of yet, if Apple is aware of this issue.

What is clear: Mac OS X is averaging 1 virus/trojan horse every 3 years. Windows users, on the other hand, must contend with nearly daily assaults on their systems.

UPDATE, April 9th 2:13pm ET: MacCentral has Apple's response and Wired updates their article, as well.

It appears that the authors of the Bagel and Netsky worms are "at war" and their battleground seems to be any vulnerable Windows system found during spreading. Using some extreme language, the authors of the two worms have lobbed taunts back and forth with each successive worm release. While it isn't clear when this particular war will end, what is clear is that only vulnerable computers serve as a launch bed for either of these worms. Regularly updating Windows by way of Microsoft's Windows Update page, and using a firewall and virus protection software are three ways to keep malicious code out of your Windows system.

Hot on the heels of Monday's W32/MyDoom-A worm, a variant, W32/MyDoom-B, has appeared and is currently being analyzed by anti-virus and security organizations. The variant appears set to target Microsoft and SCO in denial-of-service attacks; F-Secure has rated this worm a Level 2 threat.

The latest worm to hit the Windows operating system, W32/MyDoom-A, also known as W32.Novarg.A@mm or mimail.r, is rapidly infecting systems and is now active in all regions of the Internet. It appears to harvest addresses from compromised systems, then sends copies of itself to randomly chosen addresses; there is also a backdoor component operating over TCP port 3127. This worm has been rated a Level 1 threat by F-Secure.