Adobe has acknowledged that an internal screw-up caused potentially dangerous Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.

"It slipped through the cracks," said Emmy Huang, a product manager for Flash Player.  Adobe's mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.

Digital Underground podcast with Dennis Fisher

Dennis Fisher talks with Tyler Shields of Veracode about his BlackBerry spyware application, txsBBSPY, the coming wave of smartphone attacks and his lack of surprise about the Google Aurora attack.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year. Read the full article. [KrebsonSecurity]

Fake emails claiming to be from the IRS are a variation of the usual IRS phishing expeditions that typically target end users during tax time, but this campaign aims to infect organizational machines through corporate rather than personal email. Read the full article. [Infosecurity]

To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for dangerous security flaws found in the code. But several experts say that's not enough money to motivate skilled vulnerability researchers. Read the full story [CNet]

Researchers at Penn State University have developed an algorithm that defends against the spread of local scanning worms that search for hosts in "local" spaces within networks or sub-networks. This strategy allows them access to hosts that are clustered, which means once they infect one host, the rest can be can be infected quickly. Read the full article. [Dark Reading]

Novell is reporting a critical security vulnerability in NetStorage which can be exploited by a remote attacker to compromise a system. The vendor has not provided any details of the vulnerability, but has stated that exploiting the vulnerability to inject and execute code does not require authentication. Read the full article. [The H Security]

The prosecution of a Swedish man charged with breaching the computer networks of NASA and Cisco Systems and making off with sensitive source code will be transferred to Swedish authorities, US federal prosecutors said Monday. Read the full article. [The Register]

Top flight outsourcing firm Tata Consulting Services appeared to have lost control of its website to hackers today, with the domain apparently being touted for sale. Read the full article. [The Register]

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack. Read the full article. [KrebsonSecurity]