WordPress blog software has been updated to the 2.6 version. This latest release fixes about 194 bug fixes and a major security-related change to disable remote publishing protocols by default along with new functions such as SSL support, new Atom Publishing Protocol and the variety of XML-RPC protocols by default to shut down a potential security risk. If you manage a WordPress blog, this should be considered an important update.

For the folks who still didn’t switched to the Firefox 3, the Mozilla Foundation has just released Firefox 2.0.0.16 which fixes two critical security vulnerabilities, command-line URLs launch multiple tabs when Firefox not running and remote code execution by overflowing CSS reference counter. As security advisers reports the last vulnerability affects the Thunderbird users too. The Firefox 2 will still be supported only until December, so all users are advised for upgrade to Firefox 3.

Facebook, one of most popular social networking sites has been available to a critical XSS, allowing the hackers to install malicious scripts. Researchers who detected this vulnerability also posted a screenshoot demonstrating the problem. One of most recent incidents were serving malware and live exploit URLs, due to vulnerable web applications, introducing Zlob trojans in the form of fake video codecs, and was initially traced back to infrastructure provided by the Russian Business Network. The security folks at Facebook have been notified and as it seems the Facebook team responded very quickly and fixed the issue immediately!

topBadware.org coalition under Google support has called Apple to review the “carpet bomb” issue in the Safari browser. Nitesh Dhanjani has discovered that in Safari browser on Windows hackers can install suspicious software via booby-trapped Web sites. This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location, stated Dhanjani.

Latest Microsoft Thursday security bulletin patches three critical bulletins for Microsoft Office and Windows and a moderate denial of service vulnerability for the company’s security software. A critical remote code execution vulnerability primarily affecting Microsoft Office (Word) and another critical remote code execution flaw in Publisher, a critical Jet database engine issue that affects Windows 2000, Windows XP and Windows Server 2003 and a denial of service vulnerability in Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security.

Security researchers have found malicious code that can trigger a critical vulnerability in the Chinese version of Windows 2000. The non-Chinese users are warned to expect same attacks. Symantec confirmed that the code posted to the milw0rm.com site successfully attacks Chinese editions of Windows 2000 Service Pack 4 (SP4) exploiting one of the two critical bugs in Windows GDI, or graphics device interface, that Microsoft patched last week. So far attack code works only on Chinese versions of Windows 2000 while crashes Explorer, the Windows file manager, on non-Chinese versions of the OS. Security researchers urged the Windows 2000 users to update all the fixes released by Microsoft in MS08-021 security bulletin to patch their systems.

Internet security company Websense has reported that hackers have managed to break Microsoft’s Live Hotmail CAPTCHA tools in about 6 seconds. As reports say latest attack on Microsoft’s Hotmail is an evolutionary leap because hackers’ tools are automated and operating almost instantaneously. CAPTCHAs are viewed as a spam defense and a way to distinguish humans and computers. However Google says CAPTCHA security are still useful, but other start to claim it is not true. The steps of the CAPTCHA eluding attack are similar to previous attacks, according to Websense. A bot hooks into Internet Explorer, observes account names, uses IE to sign up for Hotmail accounts, grabs CAPTCHA and breaks it, creates multiple accounts and then use them for sending spam.

Adobe has released a security bulletin informing all Internet users about multiple vulnerabilities in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, that could lead to the potential execution of arbitrary code remotely. Additionally the update includes DNS rebinding attack and cross-domain policy countermeasures. It is strongly recommended to update to the newest Adobe Flash Player version, 9.0.124.0

Virus Bulletin website tested 37 different Vista-based security programs to see which could manage to reach the level of threat detection required for ‘VB100′ Certification. Out of 37 tested, 17 failed the tests, including products from McAfee, Sophos, and Trend Micro. VB100 test sets very high detection bar of 100 percent of a subset of malware defined by a malware collection known as the ‘WildList’. Programs must also, using default settings, avoid false positives - false flagging files as malware infected when they are in fact innocent. While McAfee, Sophos and Trend detected 99.99% of the WildList, other programs fell some way short of this ‘almost’ status. Doctor Web reached only 95.21%, and Security Coverage PC Live managed just 84.35%. Microsoft’s criticized Windows Live OneCare and Forefront Client Security both hit the VB100 100 percent mark.

It is April Fool’s Day and we are informed about new storm mails that link to the IP address. If you follow the link you will be redirected to the interesting page with downloadable executable, so it is advise to be very cautious if you receive any Fool’s Day messages today!