A serious flaw that allows for drive-by-download attacks picks up a patch in today's regular monthly patch batch from Redmond, as do critial flaws in Microsoft Office. Network attack vectors of most concern for business networks get shored up as well.

The most important patch, MS09-065, closes a hole that could allow an attacker to take control of a vulnerable system if you view a specially crafted Embedded OpenType font. The patch is rated critical for Windows 2000, XP and Server 2003, and important for Vista and Server 2008.

A mischievous iPhone worm that targets Australian jailbroken phones is changing the phone's wallpaper to an image of Rick Astley.

Above the changed wallpaper is the text, "ikee is never going to give you up," according to security company Sophos. According to a post from the company, which includes an image of ikee's effect, the phone searches for jailbroken phones whose users have not changed the default password after installing SSH, a tool used to remotely log in to computers and other devices. Like other worms, after finding a victim phone it will automatically attempt to find other phones to infect.

A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands.

Taking advantage of the flaw requires accessing the specific network traffic between a client, such as a Web browser, and a Web or other server. That means most home users probably wouldn't be specifically targeted by one of these potential man-in-the-middle attacks, according to discoverer Marsh Ray, a security researcher at PhoneFactor, which provides phone-based two-factor authentication solutions.

A new Update 17 version for JRE and JDK closes some major risks, including "arbitrary code execution," according to US-CERT.

Sun's new software versions, released yesterday, also address privilege escalation, denial of service, and information disclosure vulnerabilities, according to US-CERT's post. Unless you've turned it off, Java will check for updates automatically, but will only do so once a month (on a day that varies per installation).

In further confirmation that Internet crooks tend to grab for the low-hanging fruit, a new Microsoft report reveals that the most common browser-based attacks tend to go after old software flaws. Making sure you've closed those holes can go a long way towards keeping your PC safe.

Browser-based exploits form the basis for some of the sneakiest and most dangerous attacks out there today. Crooks insert hidden attack code on a hijacked Web site that searches for a software vulnerability whenever anyone views the poisoned site. If the attack code finds a flaw, it will attempt to surreptitiously download and install a Trojan or other malicious software. If an antivirus app doesn't manage to catch it, the malware gets installed with nary a clue for the hapless victim.

If you use Firefox, you may have already seen a pop-up from your browser alerting you that it is blocking the Microsoft .NET Framework Assistant and Windows Presentation Foundation add-ons. It's for good reason.

As of today, Mozilla's browser will automatically disable Microsoft's addon and plugin because of a gaping security hole that allows for drive-by-download attacks. The flaw lies in the Windows Presentation Foundation plug-in that is installed by the .NET add-on.

Rogue antivirus pushers have made big bucks by tricking people into paying for worthless software, but the ever-greedy scammers have added a new evil trick.

One strain of the rogue AV, currently called Total Security 2009, will now block access to anything on your PC until you pay for a serial number for the rogue program. Attempts to open anything will instead pop-up a message claiming that the file is infected, and that you should "activate your antivirus software." Paying $79.95 for a serial number and "activating" the program allows you to use your PC once more, according to a post from antivirus maker Panda Security, but doesn't get rid of the scamming software.

Microsoft is blocking access to thousands of Windows Live Hotmail accounts after passwords for the accounts were publicly posted on a Web site.

According to a Windows Live blog post, Microsoft discovered the posted credentials over the weekend. The company is locking the accounts in question, and points to a recovery form for you to use to restore access if your account has been locked.

Microsoft's new free Security Essentials looks like it can get the job done, according to new scanning tests conducted by AV-Test.org.

The free standalone antivirus product has caused a stir since its Tuesday release, as might be expected when the words "Microsoft" and "free" are involved. In a post on the day of its launch, I referenced AV-Test performance results from a MSE beta. We now have new results from tests conducted this week against the final product (available for download), and overall MSE looks good:

Research In Motion yesterday announced a new BlackBerry patch that fixes a display flaw that could help phishers conduct an attack.

The flaw involves the dialog box that displays when a BlackBerry user visits a supposedly secured site that uses a mismatched security certificate. If a scammer creates a certificate that uses hidden (null) characters, the BlackBerry browser will correctly recognize a mismatch between such a certificate and a Web site's name and display a warning dialog. However, the old dialog doesn't display hidden characters, which could make the certificate and site name look the same in the warning and lead users to ignore it.

Microsoft today lifted the curtain on its Microsoft Security Essentials, the free successor to its OneCare security program.

MSE uses the same antivirus engine as the phased-out OneCare, but the new free program focuses only on malware blocking. It doesn't include a firewall, system optimizer or other security suite-type features.

To combat worms, Trojans and other malware, a team of security researchers wants to use ants.

Not the actual live insects, of course, but computer programs modeled to act like ants in the way they roam a network and search for anomalies. "Ants aren't intelligent," says Glenn Fink, a senior research scientist at the Pacific Northwest National Laboratory who came up with the idea for the project, "but as a colony ants exert some very intelligent behavior."