A currently underway attack is attempting to trick victims with an e-mail that purports to request a verification for payment to a major company, but instead carries a Trojan.

E-mail security company Cloudmark reports seeing more than 1.6 million of the attack e-mails, which bear a subject of "payment request from" followed by a company name such as eBay or J. P. Morgan Chase and Co. The body of the message says that to decline the payment, the recipient must download and install an attached "transaction inspector module."

A new security advisory from Microsoft shines the light on a denial-of-service bug in Windows 7 and Server 2008 that could be hit to crash the system but not cause other harm.

The flaw in the Server Message Block (SMB) protocol only affects Windows 7 and Server 2008, and is unrelated to the previously fixed MS09-050 flaw affecting SMBv2, according to the Internet Storm Center. Microsoft says it does not yet know of any attacks against the flaw, but it has seen "public, detailed exploit code that would cause a system to stop functioning or become unreliable." A patch is not yet availabe.

Two-thirds of the sites that tend to care most about security still have serious unfixed vulnerabilities, according to an analysis from web security firm WhiteHat Security.

The statistics from WhiteHat's report, released today, cover vulnerabilities found in custom Web applications on 1,364 different Web sites. That number is only a small fraction of the number of sites online, but it represents those companies that have contracted with WhiteHat for additional security scanning, and therefore likely care more about security flaws than the average Web site.

A serious flaw that allows for drive-by-download attacks picks up a patch in today's regular monthly patch batch from Redmond, as do critial flaws in Microsoft Office. Network attack vectors of most concern for business networks get shored up as well.

The most important patch, MS09-065, closes a hole that could allow an attacker to take control of a vulnerable system if you view a specially crafted Embedded OpenType font. The patch is rated critical for Windows 2000, XP and Server 2003, and important for Vista and Server 2008.

A mischievous iPhone worm that targets Australian jailbroken phones is changing the phone's wallpaper to an image of Rick Astley.

Above the changed wallpaper is the text, "ikee is never going to give you up," according to security company Sophos. According to a post from the company, which includes an image of ikee's effect, the phone searches for jailbroken phones whose users have not changed the default password after installing SSH, a tool used to remotely log in to computers and other devices. Like other worms, after finding a victim phone it will automatically attempt to find other phones to infect.

A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands.

Taking advantage of the flaw requires accessing the specific network traffic between a client, such as a Web browser, and a Web or other server. That means most home users probably wouldn't be specifically targeted by one of these potential man-in-the-middle attacks, according to discoverer Marsh Ray, a security researcher at PhoneFactor, which provides phone-based two-factor authentication solutions.

A new Update 17 version for JRE and JDK closes some major risks, including "arbitrary code execution," according to US-CERT.

Sun's new software versions, released yesterday, also address privilege escalation, denial of service, and information disclosure vulnerabilities, according to US-CERT's post. Unless you've turned it off, Java will check for updates automatically, but will only do so once a month (on a day that varies per installation).

In further confirmation that Internet crooks tend to grab for the low-hanging fruit, a new Microsoft report reveals that the most common browser-based attacks tend to go after old software flaws. Making sure you've closed those holes can go a long way towards keeping your PC safe.

Browser-based exploits form the basis for some of the sneakiest and most dangerous attacks out there today. Crooks insert hidden attack code on a hijacked Web site that searches for a software vulnerability whenever anyone views the poisoned site. If the attack code finds a flaw, it will attempt to surreptitiously download and install a Trojan or other malicious software. If an antivirus app doesn't manage to catch it, the malware gets installed with nary a clue for the hapless victim.

If you use Firefox, you may have already seen a pop-up from your browser alerting you that it is blocking the Microsoft .NET Framework Assistant and Windows Presentation Foundation add-ons. It's for good reason.

As of today, Mozilla's browser will automatically disable Microsoft's addon and plugin because of a gaping security hole that allows for drive-by-download attacks. The flaw lies in the Windows Presentation Foundation plug-in that is installed by the .NET add-on.

Rogue antivirus pushers have made big bucks by tricking people into paying for worthless software, but the ever-greedy scammers have added a new evil trick.

One strain of the rogue AV, currently called Total Security 2009, will now block access to anything on your PC until you pay for a serial number for the rogue program. Attempts to open anything will instead pop-up a message claiming that the file is infected, and that you should "activate your antivirus software." Paying $79.95 for a serial number and "activating" the program allows you to use your PC once more, according to a post from antivirus maker Panda Security, but doesn't get rid of the scamming software.

Microsoft is blocking access to thousands of Windows Live Hotmail accounts after passwords for the accounts were publicly posted on a Web site.

According to a Windows Live blog post, Microsoft discovered the posted credentials over the weekend. The company is locking the accounts in question, and points to a recovery form for you to use to restore access if your account has been locked.

Microsoft's new free Security Essentials looks like it can get the job done, according to new scanning tests conducted by AV-Test.org.

The free standalone antivirus product has caused a stir since its Tuesday release, as might be expected when the words "Microsoft" and "free" are involved. In a post on the day of its launch, I referenced AV-Test performance results from a MSE beta. We now have new results from tests conducted this week against the final product (available for download), and overall MSE looks good: