Windows XP and Vista users running Safari browser are advised to update their browsers to the latest version. Last night Apple Security Update released new patches for spotted holes while visiting a malicious websites. WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

New malware using usual holidays greeting has been spotted. Spammer sends attachment called Happynewyear.exe and when user runs it a nice Christmas tree installs to your desktop and Systray. Malware, Trojan-PSW:W32/Delf.BBE monitor you computer and steals passwords and other information and sends them to lbss.3322.org. Usual precautions are advised. Do not install this attachment.

Latest Microsoft security patch apparently doesn’t work well with Internet Explorer 6 and 7 XP or Vista. First error reports surfaced at message boards and help websites. Error encounter when user open default homepage “My MSN” and “Internet Explorer has encountered a problem and must close” dialog appears. Microsoft is investigating the issue and working on resolving it.

Due to the package compromise of SquirrelMail 1.4.11, and 1.4.12, we are forced to release 1.4.13. Tests showed that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim’s server. This could grant the attacker the ability to deploy further code on the victim’s server. New patched version is available for download at squirrelmail.org

Apple has shipped new update for Java runtime to patch about 18 vulnerabilities that expose Mac OS X users to remote code execution attacks. The Java Release 6 for Mac OS X 10.4 patches multiple critical holes in Java, Java 1.4 and J2SE 5.0, and includes a well-known issue that was left unpatched by Apple for more than a year.

Intel is preparing to introduce new security features in its next-generation vPro microprocessors which will improve encryption support while making systems easier to install and manage. Built under the code-name ‘Danbury’, the embedded security features is planned to be introduced in early 2008. New microprocessors promise to improve the efficacy of commercial encryption tools via onboard integration hooks for the programs, and by adding a new layer of hard drive protection when vPro-powered computers are powered-down. As Intel’s officials claims, the addition of the Danbury technology will also make it far easier for organisations to put encryption applications into place by directly addressing the common headache of key management within the new embedded security tools. New Danbury tools represents only the latest in line of security and management technologies embedded directly into the vPro lineup by Intel, including the already announced Active Management Technology which is aimed at making it easier for administrators to do remote updates on corporate machines, such as for installing anti-virus updates or operating system security patches.

Apple shipped new QuickTime version to patch all spotted vulnerabilities for Mac OS X and Windows users. The QuickTime 7.3.1 update addresses the QuickTime RTSP, Real Time Streaming Protocol, Content-Type header flaw that was first released on security mailing lists on November 26. Exploit code for this vulnerability, which dings Mac and Windows machines, is publicly available. Latest update also patches a high-risk vulnerability that allows hackers to manipulate QTL files to crash QuickTime or launch malware attacks. Not counting silent fixes, Apple has patched at least 35 security holes in QuickTime this year rating itself high on list of most vulnerable Windows applications.

Same day as Microsoft released fixes for 11 software flaws, UC-CERT reported new vulnerability in Microsoft Access databases that can be used by hackers for attack. According to a US-CERT alert, the attacks are using an unpatched stack buffer overflow vulnerability in the way Microsoft Access handles specially crafted database files. To help protect against this type of attack, do not open attachments from unsolicited email messages and block high-risk file attachments at email gateways. The flaw affects Microsoft Office Access 2003 on Windows XP SP2.

Symantec rolls out December State of Spam Report with reviews of past month’s key trends and analysis. As company claims, monitoring over 450 million inboxes worldwide observed 72% spam emails in overall email traffic. Most of those mails were from spammers from guessed email addresses. Also, as end of the year approaches, there are increase in holiday gift scams, fake lottery, infected snowball images and always present replica products. Spammers were also on the hunt for new email addresses, initiating a massive harvesting campaign. For more trends and analyses read the December State of Spam Report.

America Online continues to have problems securing its AIM instant messaging service. After spending last few months struggling to develop a comprehensive fix for a bug that exposed fully patched versions of AIM to a nasty worm attack, last week company shipped a silent, server-level patch to fix a gaping hole that allowed hackers to gain complete control of any PC running the latest version of AIM. Obviously AIM 6.5 client remains vulnerable to the same fundamental weakness, potentially allowing malicious hackers to create a worm that infects thousands of users in a matter of hours.