An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft’s Virtual PC virtualization software to malicious hacker attacks.

The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations --  Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) -- to exploit the Windows operating system.

Microsoft has released a one-click "fix-it" workaround to help Internet Explorer users block malware attacks against an unpatched browser vulnerability.

The Fix-It workaround, available here, effectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.  

By Andrew Storms

Every month, like clockwork, Microsoft releases security bulletins and every month people ask me if it's small or a big release. While the exact details of the patches are generally treated as news, the expected workload each month really shouldn't be a guessing game because Microsoft's patch releases are predictably cyclical.

The March issue of Information Security magazine is out this week. The cover story is a look at how security information management systems need to evolve, in particular by integrating identity management with SIM in order to tie policy violations to user activity. Also, expert Andrew Jaquith writes about how to measure meaningful information security metrics. Finally, editor Marcia Savage takes on the HITECH Act's impact on HIPAA and how health care organizations must up their security game. Download the issue here [PDF]

Apple has shipped a new version of its Safari browser to plug multiple serious security vulnerabilities.

The Safari 4.0.5 update, available for Mac OS X and Windows, fixes flaws that could lead to remote code execution if a user is tricked into surfing to a maliciously rigged Web site.

The Veteran Affairs Department's inspector general has launched a criminal investigation into a physician assistant's alleged downloading of veterans' clinical data at its Atlanta medical center.

The assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years' worth of patient data and another held 18 years of medical information.  Read the full story [nextgov]

Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code.

The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

Malicious hackers have pounced on a newly patched Adobe PDF Reader vulnerability to plant Trojan downloaders on tardy Windows users.

According to researchers in Microsoft's malware protection center, the vulnerability (CVE-2010-0188) was patched less than a month ago, proving that malicious hackers are quick to find fresh targets for malware.

A zero-day (unpatched) vulnerability in Microsoft’s Internet Explorer is being exploited in the wild, the company warned in an advisory issued today.

On the same day it issued software fixes as part of its Patch Tuesday schedule, Microsoft released a pre-patch advisory to warn of the risk of remote code execution attacks against users of IE 6 and IE 7.

The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.