Apple released its iOS 4.2 update today for iPhone, iPad, and some iPods. These updates include a number of important security fixes, in particular to the Safari Web browser. This isn't the first time Apple has included major updates for Safari, previously rolling out security fixes for its OSX operating system. However, this remains an important update because of the fix, and users may want to make sure they take advantage of it even if they are not interested in some of the other features that come along with the update.

It's been reported that the update fixes some 80 vulnerabilities in the various products. The vulnerabilities have ranged from possible security breaches while viewing PDFs to having your surfing history accessible to attackers. Bottom line is your iPhone and iPads have been open game for most attackers, and to some degree will remain that way, though it's often said that there are fewer attacks directed at Apple products, simply because there are fewer of them to attack.

A couple of new things filtered into the SANS Internet Storm Center this week, one being a security glitch from the ISP and domain provider 1&1. Turns out that if a user had registered a domain with the company, and opted for the private registration, those private registrations were still published in the WHOIS records. If you've used this service recently to register a domain, you should definitely check the records to see if this has affected your domain name.

Of course, Johannes Ullrich, SANS chief security officer, notes that private domain registrations are a bit controversial because they sometimes are used by criminals to hide their identities. However, there should still be an abuse mechanism in place either with the IP address that hosts the particular content or a contact point for the private registration company for people to forward complaints to, he notes.

In other news, Facebook had a recent security glitch, one that resulted in innocent accounts being locked out. Apparently if you login from a different IP address or region, Facebook prompts users to verify who they are. Reasonable enough. But the two options you can choose from to verify your identity - a secret security question or identifying photos of your friends - aren't working well. Even when answered correctly, users were still reporting that they remained locked out of their Facebook pages.

Sen. Tom Carper, D-Del., federal CIO Vivek Kundra, and State Department CISO John Streufert won the U.S. National Cybersecurity Leadership Award on Tuesday. The award was presented by the SANS Institute to recognize their transformation of federal cybersecurity.

It's not much of a secret around Washington circles that Carper, Kundra, and Streufert have been instrumental toward stopping the billions of dollars of waste on certification and accreditation reporting required by FISMA.

"They radically changed national priorities and U.S. government policy, and they acted to replace the wasted effort with continuous security monitoring and accompanying day-by-day, system-by-system accountability so measurement is immediately converted into action," said Alan Paller, director of research at SANS. "Their impact goes far beyond government."

Already hundreds of commercial organizations and government agencies are beginning to implement continuous monitoring systems of their own. The continuous monitoring system not only catches more vulnerabilities, it's far cheaper to implement than its counterpart. This is a big win for the country, and a nice recognition for Streufert, Kundra and Carper.

Using DNS for malware detection in larger enterprises was the topic of discussion in this month's SANS Internet Storm Center's monthly threat update. Using DNS is becoming more and more commonplace, and for good reason. One of the advantages to using this particular safety measure is it's easy to centralize, and if an enterprise has thousands or tens of thousands of desktops that can be a huge advantage over the mess it can be to update antivirus across such a large number of systems.

For it's part, SANS ISC has put together a bootable Linux CD distribution that has everything you might need to run your own filtering DNS server. The ISC also put together some passive DNS analysis where all you do is sniff the traffic coming to the DNS server than come back with a query history that you can compare to various black lists. Both technologies have gotten a lot of positive response, and is easy enough to do on your own.

If your enterprise has a lot of problems with desktops, or if you have an enterprise with thousands of desktops and you don't have any issue with malware you definitely need to think about DNS malware detection. It's not uncommon where enterprises don't know they have a problem and then run the detection process and find that many of its machines have already been infected with existing malware. It's never too late to get started, but this isn't something that can be ignored.

Today is Microsoft patch day, and there are three patches as expected. Though all the patches are critical, the two to roll out immediately are related to Microsoft Office. The program already has been actively exploited, and is vulnerable to remote attacks if a Rich Text Format (RTF) file is opened.

There also is a patch for the forefront unified access gateway. This particular vulnerability affects administration interface for the Microsoft security solution. The patch helps protect against a few different cross-site scripting flaws. They of course could be used to take control of this particular admin interface, so if you do run forefront, definitely patch it. The install base for the unified access gateway should be smaller than it is for the Office products.