Hello and welcome to the CERTStation Podcast for the 23rd week of 2010. I am Jay Johnson and these are the headlines:

Microsoft patches 34 holes in recent patch Tuesday (pause)
Samsung ships infected memory cards with their Wave devices for the German while
Adobe users are at risk from a Zero-day vulnerability circulating on Internet (pause)
Apple purges a decade-old browser history leak in their Safari web browser and Finally
New security and management software targets enterprise Smartphone's

And now for this week's newswire details
Next Tuesday Microsoft plans to close 34 vulnerabilities in Windows, Internet Explorer and Office. Six of the announced bulletins alone refer to vulnerabilities in the Windows operating system, with the company rating four of the vulnerabilities critical. The bulletin for Internet Explorer is also rated critical, although the exact number of holes to be closed remains unclear. A vulnerability that was disclosed in February and allows specially crafted web pages to read arbitrary files on a Windows PC is now also scheduled to be closed. All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are generally affected by this hole. In Internet Explorer 7 and 8 under Windows 7, Vista and Server 2003 & 2008, the hole can't be exploited when the web browser is running in protected mode which is the default setting. Another patch is to close a cross-site scripting hole in SharePoint.

(pause)
Samsung's recently released S8500 Wave smartphone is reportedly being supplied with a 1 GB microSD card which contains a Windows Trojan. Samsung has, however, told US media that only the initial batch of Smartphone's bound for the German market is affected and that more recent phones and phones destined for other markets are virus-free. Samsung has not yet released an official German comment or issued a warning. The Smartphone, which uses Samsung's proprietary Bada operating system, is not itself infected. If, however, the phone is connected to a Windows system, the autorun.inf file attempts to run the file slmvsrv.exe via AutoRun where autorun is enabled. The latter file conceals a Trojan called Delf which is detected and blocked by up-to-date anti-virus software. Vodafone recently sold 3,000 HTC Smartphone's with memory cards containing the Windows bot Mariposa.

(pause)
Adobe is reporting a zero-day vulnerability that could cause system crashes or allow attackers to take control of affected systems. According to a security advisory from Adobe, there is a critical vulnerability in Flash Player 10.0.45.2 and earlier versions and in the authplay.dll component that ships with Adobe Reader and Acrobat 9.0 Windows, Mac OS X, UNIX and Linux versions are all vulnerable. Attackers can exploit the hole to crash the software or gain control of the system and there are already reports of exploitation in the wild for all three products. In a blog, researchers at Symantec say that the attack involves Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed. Adobe has not patched the problem yet, and a schedule for the release of a fix has not been set. Adobe says it will notify users as soon as a patch becomes available.

(pause)
Apple Safari has become the first major browser to be purged of one of the web's longest-running privacy defects the ability for any site owner to effortlessly steal a complete copy of your recent browsing history. The browser history disclosure leak is as old as the World Wide Web itself, and it afflicted every major browser until now. Starting with versions released Monday, Safari no longer coughs up the list of websites a user has visited. The change is one of almost 50 security fixes Apple engineers added to versions 4.1 and 5.0 of the browser. The attacks succeeded just fine against Google Chrome and Firefox, and one of them succeeded even when Firefox was running the NoScript add-on. According to the results of more than 271,000 visits captured in a recent study, the vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. Surprisingly, the proportion was even higher for those using Safari and Chrome and among browsers that turned off JavaScript. In April, Mozilla said it planned to fix the browser history leakage in an upcoming version of Firefox. While recent beta versions of the browser have the feature turned on, the latest production version remains wide open. Chrome and Internet Explorer are also vulnerable.

(pause)
A new client-server software product is designed to secure and manage Smartphone's and other mobile devices in the enterprise, including iPhone. The vendor, Mobile Application Development Partners, says the software can be installed with no changes to existing network or security infrastructures. Mobile Active Defense Enterprise Unified Threat Management is preparing a beta test phase later this month, with no scheduled shipping date. Pricing isn't being disclosed. The product has two parts. A small client application is downloaded to the device to configure it for the UTM server. MAD supports devices running Apple's renamed iOS for iPhone, iPad, iPod Touch, Windows Mobile, Android and Symbian operating systems. The client collects information about the mobile device and delivers a certificate of authority. The server application combines a firewall for Smartphone's, a rules-based policy creation and enforcement program, and mobile e-mail security including screening for phishing attacks and malware that's based on MAD's existing software. A somewhat similar solution is a joint effort from MobileIron, which offers a server appliance packed with software to monitor the Smartphone's, and Enterprise Mobile, a Microsoft-backed mobile integrator in Watertown, Mass.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.