A relatively mild virus that spreads by infecting the Delphi programmer tool, and thereby infecting any program created with that tool, has been recently identified in some popular downloads.

According to Kaspersky, the Induc virus doesn't carry a malicious payload, and is therefore likely low risk. But the virus has not been detected until recently, and spreads by first infecting versions 4 through 7 of Delphi. Instructions for manually identifying infected Delphi versions are available from delphipraxis.net.

Flash cookies placed by many of the most popular Web sites are being used to track site visitors, even going so far as to re-create http tracking cookies after they're deleted by privacy-conscious surfers.

A new study released by researchers at the University of California, Berkeley, and other universites found that the Flash cookies, or local shared objects, are used on 54 of the top 100 Web sites, as ranked by Quantcast. The Flash cookies are stored in a different location than regular http cookies, and are not removed if you delete cookies from within your browser. Per the report, "even the ‘Private Browsing' mode recently added to most browsers such as Internet Explorer 8 and Firefox 3 still allows Flash cookies to operate fully and track the user."

Internet Explorer 8 blocked about four out of every five sites that attempt to trick visitors into downloading malicious software in browser security tests performed by NSS Labs, according to a report released yesterday.

In the Microsoft-sponsored tests, Firefox 3 came in at a distant second with 27 percent. Safari 4 scored 21 percent, Chrome 2 blocked 7 percent, and the Opera 10 beta was barely there with a 1 percent block rate. The tests did not include sites that use hidden exploits and drive-by-download attacks to attempt to install malware without your ever having a chance to recognize an attack.

Microsoft's nine security bulletins released today close a range of security holes involving ActiveX controls, Windows Media files and other software that affect the full array of Windows versions.

A fix for a serious flaw in the Microsoft Office Web components, disclosed in July, patches an ActiveX problem that allows for a drive-by-download attack against Internet Explorer users. A wide range of Office installs and components need the fix, including Office XP and 2003 and the Web Components Service Pack 3 for Office 2000, XP and 2003. Office 2007 and Office 2004 and 2008 are safe, but BizTalk Server 2002, Visual Studio .NET 2003 and the Internet Security and Acceleration Server 204 and 2006 need patching. For a full list of affected software see the MS09-043 bulletin.

The distributed denial-of-service attack that hampered access to social networking and blogging sites all went after one pro-Georgia blogger, according to security company reports.

According to a post from F-Secure's Mikko Hypponen, the attacks focused on Cyxymu's accounts at Twitter, Youtube, Facebook and Livejournal, and also included a "Joe Job" spam campaign that was designed to look as if the unwanted messages had been sent by Cyxymu. McAfee offers a similar analysis with a post that ties the spam campaign to the same botnet that launched the DDoS attack, and says that a cyxymu account at Fotki.com was also targeted.

Twitter and Facebook were hit today with denial-of-service attacks that can knock a site offline, but don't steal information or cause permanent damage. The question is, why?

Both sites have lately become attractive targets for online crooks who try to trick users into installing malware on their PCs. Malicious tweets or Facebook messages might promise some great new video, but instead install fake security software. Kaspersky today posted about the most social engineering attacks used by the "Koobface" malware against Facebook and Twitter users.

A Firefox update released today fixes a recently disclosed flaw in the way Firefox 3.0 and other programs handle SSL certificates, which are used for (theoretically) secure online communications.

The SSL cert problem was reported at last week's Black Hat security conference, and could allow an attacker to use a "null-termination" certificate to intercept SSL communications between the browser and a site. Such traffic is normally encrypted so that it would only appear as indecipherable letters and numbers to any digital spies, but the cert bug allows for a successful "man-in-the-middle" hijack if an attacker has access to your network.

Adobe has issued a range of patches for its most popular software to head off malware-pushing assaults that use poisoned PDF files to trigger a flaw in Flash.

According to Symantec, attacks may not be limited to using PDF files. Web-based attacks against the Flash flaw could potentially allow for a drive-by-download, so these are fixes most everyone will want ASAP.

Microsoft today took the unusual step of releasing out-of-band patches for severe security flaws in all versions of Internet Explorer, along with related holes in the Microsoft Active Template Library included with Visual Studio.

Microsoft generally only releases patches outside of its normal monthly cycle for the most dangerous security flaws. The IE risks involve "components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library," according to Microsoft, and could allow an attacker to run commands or download malware on a vulnerable PC if you simply view a malicious Web page. Such drive-by-download attacks are a favorite among Internet attackers.

Adobe's unfortunate security problems continue: Symantec today reported that is has discovered a new attack in the wild using malicious PDFs that target a zero-day security hole in Adobe Flash.

Symantec says it has only found a limited number of attacks for the time being. The new risk "is not something we should be sowing widespread panic over," says Marc Fossi, manager of development with Symantec, "but it is another reason to remain cautious."

Internet crooks love to create attack sites and e-mails that use lures based on popular news items and Internet porn. When the two come together, as with the recent news of an online "peephole" video of ESPN sportscaster Erin Andrews, the malware is sure to swarm.

A clarion call from security blogs is warning about just that. Sites purporting to show the video will push a hapless horndog to install a required video player that is instead - you guessed it - malware.

Microsoft today fixed a serious, under-attack flaw in a video ActiveX control, along with other critical flaws involving QuickTime files and fonts. But a critical zero-day hole in another ActiveX control remains unpatched.

The most important fix in today's Patch Tuesday fixes a hole disclosed eight days ago in the Microsoft Video ActiveX control. The flaw, which has been under active attack, is rated critical for Windows XP and moderate for Windows 2003. The MS09-032 patch disables the unused (for legitimate purposes) control to stymie potential attacks, but doesn't actually fix the underlying flaw.