An unpatched buffer overflow vulnerability in an ActiveX control used by Microsoft DirectShow is being actively exploited in-the-wild. A large number of websites in China have been compromised and are being used to distribute the exploit. Malicious ads targeting game sites are also employing the zero day exploit. The exact malware that results depends on the attack vector encountered, but thus far consist of a range of data theft and password-stealing trojans.

According to Shavlik Technology, the problem-causing ActiveX control "doesn’t serve any purpose within Internet Explorer" - which makes it even more alarming that Microsoft has known about the problem for over a year and neglected to fix it.

To workaround the problem while awaiting a patch, Microsoft recommends setting a kill-bit for the offending ActiveX control - a protection method that can lead to application problems and has a not-insignificant failure rate (as in, it may not protect you).

My recommendation: switch to Firefox with NoScript. Now.

Just got an email from a PR agency which reads in part:

Given the emergence of online consumer tech support services over the past year we thought a trend story about how these new services are offering consumers a cost-effective and highly efficient way to resolve home computing security issues (and much more) would be very timely.

To substantiate the need for the service, the same email includes a Consumer Report estimate that "U.S. consumers spent $7.8 billion over the last two years for computer repairs, parts and replacements".

The PR message offers, "...for a more in-depth service review we'd be happy to provide you with access to BluePhone -- let us know and we will have the company set it up."

I looked up BluePhone and discovered they charge between $30-$100 per incident. Flat rate is $200 a year. The population of the U.S. is approximately 306 million, so the estimated $7.8 billion over two years works out to less than $15 a year per citizen.

How exactly is going from less than $15/yr to paying $200/yr considered cost effective?

Sometimes mistakes happen. Whether the result of a false positive from antivirus software or a misunderstanding of a file's function, on occasion a valid system file can be inadvertently deleted or quarantined. Sometimes, the results can seem disastrous - a looping blue screen each time you try to boot up the PC. Other times, a stop error with a cryptic message may be the result. Here's how to replace the missing file(s) to get your system operational again. >> How to Restore System Files

Attackers commonly use greeting card scams to foist trojans on the unsuspecting. In recent weeks, the rate of greeting card scams appears to have been increasing. Fortunately, there are some tell-tale signs and tips to follow that can help you avoid becoming a victim. >> Greeting Cards Bearing Trojans

A firewall offers important security protection, but only if it's configured properly and used appropriately. Any decent firewall should offer basic NAT protection. Beyond that, mileage may vary. For example, a permission-based firewall that gives carte blanche to Internet connecting applications will not be as effective as a firewall that seeks permission each time. However, inexperienced users who may not understand firewall alerts may need to sacrifice a bit of security in exchange for ease of use. To help decide, here's a list of the best free firewall apps for Windows.

Antivirus vendor Symantec is warning about an email worm (W32.Ackantta.B@mm) that masquerades as a Twitter invitation. The email carries a zip attachment (Invitation Card.zip) which, if opened, infects the computer with a copy of the worm, harvests email addresses, and then sends the same bogus email to the email addresses it collected. Fortunately, most ISPs and companies have forced malware scanning at the email gateway so this Twitter spoofing email worm is unlikely to get through. Plus, email worms carry attachments so they are really easy to identify and block.

A bigger concern for email users are the current runs of malicious email claiming to be Microsoft security updates, Outlook updates, or package information from UPS. Those don't carry suspicion-causing attachments - just malicious links. The messaging is easily believable to inexperienced users, so the likelihood of click-thru and infection is pretty high. Fortunately, all the runs I've seen so far have contained malware links that are already dead. Seems like the good guys got a head start for a change.

A stream of false positives has had game developer PopCap playing leapfrog with security vendors over the past several months. PopCap is the maker of the highly popular Bejeweled, Bookworm, Plants vs. Zombies, Zuma, and dozens of other games. With a billion downloads since 2000, PopCap games are widely distributed and thus the false positives particularly vexing. Initial mis-reports were from AVG, then Avast, followed by BitDefender, Kaspersky, Lavasoft, and ZoneAlarm. Unconfirmed reports suggest that Panda Software and Spybot Search & Destroy have, in the past, been among those who have erroneously alerted on the games.

If you should receive a virus alert on a PopCap game or one of its components, and you are certain that your copy of the PopCap game is legitimate, try adding the detected file to the antivirus scanner's exclusion list. If you aren't certain the file is a legitimate PopCap component, follow the tips outlined in Six Steps to Tell if a Virus Alert is Legitimate. If you do determine it's a false positive, be sure to notify your antivirus vendor so they can fix the problem and spare other users (and PopCap) the aggravation.

The makers of the free Avast antivirus have been plagued by scammers that setup fraudulent websites and charge for the free antivirus download. To download the free Avast antivirus (or to purchase the pro version of Avast), be sure to use the legitimate URL: www.avast.com. For more details, see: Fraudulent sales of avast! products

Between June 17 - 25, Dell is offering discounts on the following home user security software:

• Antivirus 2009 from BitDefender - $17.99 (one user)
• Webroot Spy Sweeper Software - $13.99 (up to three users)
• Webroot Internet Security Essentials - $17.99 (up to three users)

A push by the government and power companies to roll out 'smart meters' on a short deadline could leave up to 52 million U.S. citizens at risk. As Dan Goodin of The Register reports, the proposed meters are "are riddled with security bugs that could bring down the power grid". The risk is more than hypothetical. Security researchers for IOActive have already discovered vulnerabilities in the devices update feature and plan to demonstrate the wormable risk at next month's Black Hat conference. For details, see: Buggy 'smart meters' open door to power-grid botnet