A new blog posting from network security firm eSoft explains that adware pushers are trying to capitalise on the success of Firefox 3.6 in order to extend their reach.

The fake Firefox download site uncovered by the firm has been designed to fool users hoping to upgrade, but contains the spelling errors which are often a tell-tale sign of a scam site, said the blog posting.

"Victims of this scam install the 'Hotbar' toolbar by Pinball Corp, formerly Zango," the post noted.

"Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray."

ESoft warned users only to download software directly from the publisher, where possible.

Since then, both the French and German authorities have urged their citizens to use another browser until the flaw is patched.

But Microsoft UK's chief security officer Cliff Evans was keen to stress to V3.co.uk yesterday that although the vulnerability technically affects IE6, IE7 and IE8, "the exploits we're seeing out there at the moment only affect IE6", which is the smallest group of IE users in the UK.

The message was loud and clear - upgrade to IE8, whose advanced security features which include the SmartScreen filter and Data Execution Protection, will make it extremely difficult for hackers to implement the exploit code effectively on this browser.

As to whether Redmond will implement a security fix as part of the next scheduled patch Tuesday or an out-of-band release, Evans argued the team will need to take a considered view.

"The actual risk is minimal - you'd need to be using IE6 on XP and to visit these [malicious] sites," he added. "We'll have to balance the perceived risk with getting people to roll out yet another update."

First the 419 scammers. According to a new blog posting by Symantec Hosted Service, aka MessageLabs, the classic advance fee fraud scammers are exploiting the news to part well-meaners with their cash, sending emails purporting to be from charities such as the British Red Cross, requesting donations.

"Exploiting tragic world events for personal gain unfortunately seems perfectly acceptable for some cyber criminals, and the Haiti Earthquake 419 advance fee fraud example highlights that there are no boundaries on what they'll attempt to profit from," wrote malware data analyst, Matt Nisbet.

"The public needs to be aware of such scams so that they can be more vigilant when visiting donation websites, ensuring vital donations arrive at the intended locations, rather than lining the scammers pockets."

The other main strategy taken by the cyber-criminals has been blackhat SEO-ing, or SEO poisoning. This is when the crims piggy-back upon a news story of widespread interest to promote their own malicious sites into the top of the search rankings, by cramming the sites full of keywords. F-Secure and Websense both warned users to ensure their AV tools are kept up-to-date and they have real-time content scanning capabilities.

"Websense Security Labs ThreatSeeker Network has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program," read a posting on the Websense Security Labs blog.

"Unfortunately, the bad guys use major crises and events like this to spread their malicious code."

In a blog posting, Sophos senior security consultant Graham Cluley highlighted a recent Spanish-language spam email he noticed, which claims to point to an update for the Adobe Flash Player.

Clicking on the link in the email would take a user to a page requesting they download an "update" to Adobe Flash, which is actually malware. However, as Cluley points out, the email is littered with spelling mistakes, such as "Adoble" instead of "Adobe",

"So how do these tiny clues and mistakes manage to sprinkle themselves into a hacker's attack? Is there some divine intervention that is ensuring that so many cyber criminals keep making daft errors, putting a spanner in the works, and helping to tip off potential victims? Whatever the reason, I hope it continues for as long as there's a malwre problem," wrote Cluley.

Apart from regarding any unsolicited emails with suspicion, users should always visit the vendor's own site for any updates, he advised.

But while some cyber criminals are continuing to leave obvious errors in their emails or malicious sites, which should tip off wary users, the general trend appears to be towards greater professionalism in the cyber criminal world. If it's one thing criminals do well, it's that they learn quickly and stay agile.

So while it's obviously important to keep an eye out for any grammatical or other errors that could set alarm bells ringing, users can no longer be guaranteed that e-mail and web threats will be as easy to spot in future. Comprehensive real-time content scanning tools are an essential addition for any computer user today.

Firefox 3.5.6 and 3.0.16 suffered from crashes due to memory corruption, according to the Mozilla security advisory.

"Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products," the advisory noted.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

There are a total of 62 fixes for bugs in the new version of Firefox.

"We strongly recommend that all Firefox users upgrade to this latest release," noted a posting on the Mozilla Developer Center blog.

"If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates...' from the Help menu."

The report found that most (19 per cent) of breaches are caused by keyloggers and spyware, closely followed by backdoor/command and control and SQL injection attacks.

Abuse of systems access comes swiftly behind and unauthorised access via default credentials is in fifth place.

So having detailed what are the most common threats to guard against, Verizon helpfully then lists each in detail, including how to spot an attack, how to mitigate one, and a useful case study to provide more background info.

The information may seem like basic stuff to many CISOs, but is likely to go down well among those organisations at the smaller end of SME which are struggling to keep their heads above water with limited IT, and even more limited information security, resources at their disposal.

That is, at least, according to security giant Symantec, which has commissioned a new survey into the upgrade habits of enterprise customers, either with alarming speed or uncanny foresight.

The vendor interviewed nearly 1,500 IT managers in UK, France, Germany and Italy and found that just over a third had major concerns over hackers targeting newer desktop software to find vulnerabilities.

A quarter said they would hold off on upgrading for at least another 12 months, while two-thirds said negative press coverage played a role in influencing their decisions to upgrade.

Which is all very well, but are IT decision makers really that easily swayed by so-called 'negative press coverage'? The letters and comments we get here at V3 would seem to suggest not.

Surely the level-headed IT manager would be wise enough to realise that any new operating system or desktop software is likely to receive an unduly large amount of media scrutiny, including how safe or otherwise it is.

We all know that bigger security risks lie with systems remaining unpatched against known flaws, whether those systems are fresh from the factory or not.

The security giant said that Microsoft would be using its Secure Sockets Layer (SSL) certificates, and Code Signing Certificates, to create a layer of security for its Azure platform of cloud based services and applications.

Doug Hauger, general manager of Windows Azure at Microsoft, said: "With VeriSign SSL and Code Signing Certificates, VeriSign is providing proven safeguards that help ensure a trusted experience on the Windows Azure platform."

VeriSign's security tools will be use to protect services and applications delivered over the cloud. Currently Azure comprises a mixture of services including an operating system and developer and deployment tools. Microsoft said that by adopting it firms could reduce their costs and system complexity.

The researchers apparently did what they do best, and studied Mega-D and its behaviour. By doing this they were able to to identify its control structure and other features, and the bot herders back where it hurts. Late last week they brushed some dirt off their white coats, starting ringing around ISPs, disabling control servers, de-registering any of the bots' used domains, and registering any unused fallback ones. In short they threw a whopping great spanner directly into Mega-D's works.

According to M86 Security labs Mega-D was responsible for almost a third of all spam last year, while over the weekend it slowed to just a trickle, and yesterday had stopped altogether. Current suggestions are that before it was taken down, Mega-D was pumping out some 15,000 messages per hour, which is a lot of junk emails

The actions also let them get a better understanding of the bots, such as the fact that they used hard-coded DNS servers, domain generation algorithms and fallover domains. Regardless of this, anyone with an inbox should be glad that it is over, at least for now.

Sun's was the larger of the two tasks, patching 12 flaws in its Java Runtime Environment, including one vulnerability which allows "an untrusted Java Web Start application to run as a trusted application and execute arbitrary code".

Java and other third party applications are increasingly being targeted by hackers thanks to large installed base and the fact that Microsoft is getting better at protecting its own software.

RIM, on the other hand, had just the one flaw to patch, releasing a fix for a flaw in the BlackBerry Desktop Manager which could allow remote code execution. The vulnerability was given a CVSS severity rating of 9.3 and applies to BlackBerry Desktop Software version 5.0 and earlier on all platforms, so it warrants immediate attention.

Unsurprisingly for a vendor looking to shift as many units of its data loss prevention solution as possible, the research paints a pretty grim picture. Of the 1,000 UK adults asked to rate their level of confidence on a scale of one to six, with one the most confident, banking came out top with 3, while retail, telecoms, transport and the public sector fared slightly worse.

Online retailers may have something to think about if this research is to be believed as they scored the worst, with a 3.7 average.

Symantec's senior product marketing manager for data loss prevention, Chi-Chi Liang, did a wonderful job of marketing Symantec's product for data loss prevention, by declaring that the low level of trust can be linked to an increasing number of high profile data loss incidents - many of which have been caused by simple employee error.

"The task for organisations in both countries is to win back customer confidence by reassuring them that world-class data loss prevention measures are in place," added Liang. We can't think whose DLP tools Ms Liang might be referring to.

To take a more glass-half-full view of this research though, isn't it more noteworthy that public confidence is still so high, despite the ever-increasing barrage of data loss incidents from public and private sector?

If most sectors scored around a 3, which is mediocre, then one could say public confidence is more resilient to media scare stories than we perhaps give it credit for.

Aside from her other major theme, promoting IE8 as the best browser in the world ever, Barzdukas quite rightly pointed out that users need to be educated without being scared.

"We haven't struck the right balance of how to inform users without terrifying them," she added.

In the keynote following, Soca and FBI representatives highlighted just how lucrative a market scareware has become, pointing out several affiliates in scareware programs who are making in excess of $100,000 a month by profiting from the fear and lack of awareness of consumers.

Barzdukas also urged industry to better understand how consumers interact with computers and how they treat security warnings.

She used IE8, naturally, as a good example of how to minimise the risk of end users making the wrong decisions and ignoring security warnings presented on the screen in front of them.

She detailed features such as a pop up box which appears to warn users if they are about to download potentially malicious software. Instead of having a continue button the same size as a cancel instruction, the Microsoft team has worked to minimise the former, she said.

Possibly because it feels a bit like a taxi driver dropping its passengers off at some dodgy destinations, the firm will send snippets of code to webmasters, alerting them to problems on their sites and generally giving them a nudge in the 'clean up your act' direction.

The new information will appear as part of Webmaster Tools, a suite of tools provided by the firm. "In addition to helping the webmasters of sites with malware warnings, this new detail is also designed to promote the general health of the web," Google's Lucas Ballard said on the firm's online security blog.

"While we're excited to offer this feature, we caution webmasters to use the tool only as a starting point in their site clean-up process," he added.

"Google's scanners may not be able to provide malware samples in all cases, and the malware samples may not be a complete list of all the malware on the page. More importantly, we advise against simply removing the examples that are displayed in Webmaster Tools. If the underlying vulnerability is not identified and patched, it is likely that the site will be compromised again."

Webmasters have to be registered with Google in order to get nagged in this way. Form an orderly queue please.

The research, from app security firm Imperva, may seem a little of the "they would say that" variety, but nevertheless illuminates the attitudes of many multinational firms when it comes to protecting sensitive customer data.

It found that 71 per cent of firms still don't treat data security as a top strategic initiative, while 55 per cent said they only secure credit card information and not other sensitive information such as Social Security numbers, driver's license numbers, and bank account details .

Unsurprisingly, the report said companies taking a strategic approach to PCI compliance have fewer data breaches.

More interestingly, nearly two thirds of the firms surveyed said they don't have the resources to comply with PCI. Given that many of these are multinationals, that figure seems alarmingly high, and if true, would seem to indicate security teams need to work harder to communicate to the business the importance of compliance with the standard.

"Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data," said Larry Ponemon, chairman and founder, Ponemon Institute.

"The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate--many more have not."