Thanks to no single major vulnerability this week, here’s a
roundup of the latest security threats out there, including troubles with
Netscape 8, an update to Mac OS X, rumblings in open source heaven, a new form
of online extortion, and even a Prius warning.

Details

No single major security threat has emerged recently, so
I’ve decided this week to concentrate on a hodgepodge of various important
threats. While all of these threats are equally significant, there’s no real
underlying thread to unify them all. Nevertheless, these vulnerabilities are important to someone, so I’m using a
different format this week to address all of the threats equally.

Apple update

Apple has released the Mac OS X 10.4.1
Update, part of which confirms the existence of a file disclosure
vulnerability in the Bluetooth implementation of Mac OS X 10.4. A pair of file
access vulnerabilities has also surfaced, but they’re less critical because they
only expose files locally. In addition, the update addresses a Dashboard widget
vulnerability in Mac OS X 10.4, which can allow a malicious site to download
Dashboard widgets without warning.

Browser woes

Netscape has apparently found the perfect way to combat Internet
Explorer. According to Dave Massey’s
blog reports, the recently released version 8 of the browser appears to
break XML rendering if you try to run IE. Some people say this is unimportant; however,
they apparently don’t know about RSS.

In addition, a report
on Anglefire points out that Netscape 8 relies on some IE code to render
trusted pages—now that’s taking an
independent stand!

The same report includes a note that the author tried to run
Netscape 8 on an old Windows version without IE installed, and Netscape won’t
work. So, that apparently means that Netscape is dependent on IE and therefore is
likely vulnerable to Internet Explorer bugs, as well as Firefox and Mozilla
bugs it hasn’t yet patched (it’s always a generation behind Mozilla and Firefox)!
Can you say the worst of both worlds?

Also, users who rushed to download Netscape 8 (someone out
there must have) need to download version 8.0.1—released one day
later—to fix the already known holes in Firefox 1.0.3, which served as the
basis for Netscape 8. The moral here is that if you want to have the latest
patches, you should probably stick to Firefox. And all of this comes out after
AOL/Netscape bombarded users with ads about how secure the new Netscape version
was going to be.

For Firefox fans (count me in), Internet services company Netcraft
has released an anti-phishing toolbar for Firefox—a welcome security feature
that Mozilla.org seems to have left out of an otherwise reasonably solid
Firefox. For more details, check out the
News.com report. And, in case you missed it, News.com also offered an
analysis of why
Firefox adoption appears to be slowing down, as well as a nice slideshow
about Netscape 8’s new
features.

Open source switch

Over on the open source front, according to a
Forbes report, Larry McVoy, BitMover CEO and long-time open source ally of
Linus Torvalds, has jumped the open source ship, proclaiming, “Open source as a business model, in isolation, is pretty much
unsustainable.”

Spam and scams

I received some interesting spam the other day from Harrison
Direct on behalf of DeVry University, essentially offering to teach me best
practices in IT so I can get ahead. I wonder what they say about spam and
HTML-only e-mails in their courses on e-commerce and security?

Whatever it is they have to say, I don’t think I want to
hear it. In fact, I’m doing a quick check because I think the message violates the
CAN-SPAM Act—particularly since I’ve never had the slightest association or
contact with DeVry.

Meanwhile, CipherTrust has built an online
ZombieMeter that shows how many PCs (probably unknown to their owners)
spammers are currently using to spread unsolicited e-mail. In addition, the
ZombieMeter also shows any trends and the geographic location.

Encryption: It’s not just for security anymore! Reports are
emerging about crooks who are using malicious Web sites to penetrate systems—not to steal data
but to encrypt files. They then offer to decrypt the information for a fee.
In legal terms, that’s what we call extortion.

Bugs on the move

And finally, just when you thought it was safe to get away
from the office and go for a nice relaxing drive with no worries about software
bugs, the U.S. National Highway Transportation Safety Administration has received
13 reports of Toyota’s
Prius gas-electric hybrid cars (2004 and 2005 models) stalling or shutting
down at highway-driving speeds. The problem appears to be a software glitch in
the car’s complex computer system. Wow, talk about a software crash! To be
fair, there have been no reports of injuries associated with this problem, but there
have also been no reports about whether this glitch has caused any crashes.

I hope all my loyal readers—as well as those who just read
this to catch me in a mistake—have an enjoyable holiday weekend.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.