Microsoft today fixed a serious, under-attack flaw in a video ActiveX control, along with other critical flaws involving QuickTime files and fonts. But a critical zero-day hole in another ActiveX control remains unpatched.

The most important fix in today's Patch Tuesday fixes a hole disclosed eight days ago in the Microsoft Video ActiveX control. The flaw, which has been under active attack, is rated critical for Windows XP and moderate for Windows 2003. The MS09-032 patch disables the unused (for legitimate purposes) control to stymie potential attacks, but doesn't actually fix the underlying flaw.

A critical flaw in the way Firefox 3.5 handles Javascript opens the door to a serious attack, according to Secunia, which tracks security vulnerabilities.

Sample exploit code is already available online, so while there aren't yet any reports of active attacks against this new flaw, there soon could be. Such an assault would likely take the form of a poisoned Web page that uses behind-the-scenes attack code to trigger the flaw.

Microsoft today warned of a serious security vulnerability in a Spreadsheet ActiveX control that could allow for a drive-by-download attack against vulnerable PCs.

The news means there are now two critical, unpatched holes involving flawed ActiveX controls (the first was disclosed last week) that could make IE users vulnerable to drive-by-download attacks if they simply view a poisoned Web page. Microsoft's advisory doesn't specify whether IE 8 might mitigate the new threat, but it does list these software components as installing the flawed ActiveX:

Crooks are going after a new security flaw involving the Microsoft Video ActiveX Control in Windows XP and Server 2003, Microsoft today announced.

Redmond's Security Advisory 972890 details the new threat, which could allow for a drive-by-download infection if you simply view a poisoned Web page using Internet Explorer - no click required. Windows Vista and 2008 are not affected, but Microsoft still recommends that users of those operating sytems apply the workaround (see below) as a precautionary measure. Also, while Microsoft's advisory doesn't specify which versions of IE are vulnerable, additional analysis from Symantec says that IE 6 and 7 are at risk, but the new IE 8 is not.

Samples of documents used in carefully prepared targeted attacks make clear that while a suspicious eye is a great security tool, some especially dangerous attacks might slide right by you.

Targeted attacks often send a carefully constructed e-mail to one or a handful of specifically chosen targets. The messages are well-written, and don't contain the tell-tale typos and errors that often accompany malware campaigns. They're far more rare, and far more dangerous, than the average attack.

Conficker may not dominate the headlines any longer, but it's still going strong, according to Trend Micro's Malware Blog and stats from the Conficker Working Group.

The worm/botnet grabbed plenty of attention earlier this year, and I wrote plenty about it myself. Part of that focus came from its giant infection rate, part from its sophisticated techniques, and part was pure hype. And after a ballyhooed April Fool's day threat came and went with little incident, it seemed to largely vanish from the public eye.

If you happen to see a too-good-to-be-true offer to watch the latest Harry Potter movie online for free, watch out.

According to anti-malware software maker PC Tools, opportunistic crooks are using poisoned blog comments and dirty search engine optimization tricks to highlight lures such as 'Watch "Harry Potter and the Half-Blood Prince" online free. Clicking a link would take you to a post that would then attempt to fool victims into downloading and installing a "streamviewer" to see the movie, which is of course actually malware. Online crooks have used fake video codecs and viewers for years as a favorite social engineering tactic.

Fake antivirus programs have become a favorite bad-guy scam for worming into your wallet, with a plethora of false reports of malware infections meant to to scare the unsuspecting into shelling out $50 for worthless software.

To help identify whether a pop-up or other warning is real, or whether it might have come from one of the many, many fake scams, Sunbelt Software yesterday put out a short guide. While it only lists a few relatively basic steps (check against a list of known bad apps, run a Google search, etc.), it's still good info to have.

It doesn't take much to get started in Internet crime these days. Find the right site, hand over $50, and you can start wreaking havoc with 1,000 already-infected PCs.

Finjan, a San Jose, CA security company, looked into the "Golden Cash" site, used by black hats to buy and sell the use of hijacked computers. The crooks behind the site infect PCs (or pay others to do so) with the Golden Cash remote-control malware, and then sell access to those PCs. And that access doesn't cost much.

The Cli.gs URL-shortening service yesterday reported that an attacker managed break in via a software security hole and take over 2.2 million URL links.

The Cli.gs service works like TinyURL to convert a long URL into a short link that is easier to use in e-mails, IMs and other messages. And lucky for Cli.gs users, this attack doesn't appear to have been intended to infect hapless surfers. According to security company Sophos, the hacked links took visitors to an Orange County Register blog posting on Twitter hashtags. Antivirus maker Kaspersky confirmed there was "No malicious code has been found on that particular page," and suggests the hacker meant to show the site was vulnerable to attack but not harm PCs.

The Federal Trade Commission today announced it has taken down Pricewert LLC, a California-based ISP that it says "recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content."

According to the FTC's release, Pricewert, which also went by the names 3FN and APS Telecom, provided services for crooks involved with phishing, spyware, botnets and other scourges of the Internet. Per the notice, "the defendant advertised its services in the darkest corners of the Internet, including a forum established to facilitate communication between criminals."

Apple yesterday released updates to close a number of security holes in its QuickTime player, as well as a bug in iTunes. Both Mac and Windows versions received the update.

QuickTime 7.6.2 for Mac OS X 10.4.11 and 10.5.7, as well as Windows Vista and XP SP3, fixes a number of flaws that could be targeted if you open various types of malicious media files. The iTunes update to version 8.2, for Mac OS X 10.4.10 or later, Mac OS X Server 1.4.10 or later, and Windows Vista and XP, closes one hole that could allow visiting a malicious Web site to launch an attack.