(InfoWorld) - Push e-mail provider Visto says it will be able to send enterprise e-mail to iPhones starting later this year.

Microsoft Exchange and Lotus Domino e-mail users will be able to send and receive messages on the iPhone, either as an individual user or on a corporatewide basis. Apple's much-hyped iPhone goes on sale on Friday.

Individual users will download an application to their PCs. As e-mail messages arrive, that application transfers them from the PC to Visto's network operation center and then on to the user's iPhone. Users will automatically receive the e-mail in the standard client software that comes with the iPhone, said Haniff Somani, vice president and chief architect at Visto.

Users must leave the PC on for the e-mail messages to reach their iPhone. To set up the service, a user will enter Visto's server address into the IMAP application on the phone, he said. IMAP is a standard messaging protocol.

An enterprise could also buy server software that would push e-mail out to all the iPhone users in the company in a process that works in a similar way to the PC application.

Early reviewers of the iPhone have written that users will be able to receive Exchange e-mails on the phone, but Somani pointed out some reasons that might not be a popular idea at enterprises. In order to push Exchange e-mail to the iPhone directly, IT administrators would have to open a hole in their firewall that allows the IMAP data to flow back and forth, he said. That can be dangerous because it opens a door to potentially malicious activities.

Analysts agreed. "IMAP is not something they want to open up," said Ken Dulaney, an analyst at Gartner. "Most enterprises, when they hear that, say 'There's no way I'm doing that.'"

In addition, the direct IMAP services usually have poor performance, he said.

With Visto's service, the enterprise doesn't have to open the IMAP port because the Visto server resides behind the firewall, Somani said.

Ideally, Apple would license Microsoft's ActiveSync in order to support Exchange e-mail on the phones in a more robust and secure way, Dulaney said. That's how Nokia, for example, supports push e-mail to certain devices, he said.

He suggests that enterprises may be wary of the Visto offering because Visto is associated with mobile operator-based services and enterprises don't always trust operators with such services. In this case, Visto is hosting the network operations center itself but must still work with AT&T, which has said it will enable IMAP in its network for the service, Visto said.

Starting late in the third quarter, Visto plans to offer a beta version of the service that will be free to use for 60 days. iPhone users can register their interest in the beta on Visto's site. Visto isn't yet saying how much it will charge for service.

Visto typically requires users to download a small application on their phones that improves the speed with which they get mail and consumes less data than IMAP, Somani said. However, Apple is only allowing third-party applications for the iPhone that are browser-based, so companies like Visto can't write software that can be loaded onto the phones.

In April, a source at AT&T said the operator was planning to support the iPhone from a billing and customer support perspective for enterprise customers. However, an FAQ recently posted to AT&T's Web site says the iPhone will only be available to consumer accounts.

(InfoWorld) - Phishers have been using compromised MySpace.com accounts to attack unsuspecting Web surfers, security experts said Thursday.

The attack is thought to have infected several thousand PCs according to reports from ISPs, said Johannes Ullrich, chief research officer for the SANS Institute. Ullrich has documented the issue on the SANS Internet Storm Center blog.

Lawrence Baldwin, chief forensics officer with security vendor MyNetWatchman, discovered the threat Tuesday, and The Washington Post reported on it late Wednesday.

Criminals have managed to install fake navigation bars on the top of MySpace.com user profile pages that, when clicked, lead to malicious computers that attempt to infect the victim's computer. The attack uses several known Internet Explorer flaws that have been fixed, so users who have installed the latest Microsoft patches are not at risk, security experts said.

The code was installed on "maybe a few dozen," MySpace.com pages, most of which have been removed by administrators at the social-networking site, Ullrich said. MySpace.com representatives did not respond to requests for comment on Thursday.

Two components comprise the attack. It attempts to install malicious botnet software on victims' computers, and it uses these infected computers to try to steal MySpace credentials in a phishing attack.

Computers that are compromised by the attack become infected with malicious botnet software known as "flux bot," which makes them unwitting participants in the phishing scam. After the malicious Web site attempts to install the flux bot code, it then presents victims with a fake MySpace.com login page, which tries to extract their MySpace.com user name and password.

Baldwin allowed one of his test computers to be infected with flux bot and found that attackers were remarkably successful at stealing passwords. "I operated as a flux node for about 12 hours and did a full audit of all the traffic coming into my machine. I was probably getting close to 60 MySpace users an hour surfing to my flux node. And at least a quarter of those actually gave up their credentials."

Baldwin estimates that the attackers were using another 200 compromised flux bot machines in their attack.

Because MySpace.com allows users to install their own HTML code and is visited by such a large number of technically unsophisticated users, it has become an attractive target for these types of attacks.

Last December, hackers created a worm that quickly spread across MySpace.com, stealing user names and passwords. That worm exploited a flaw in Apple's QuickTime media player.

The Blu-ray Disc Association has announced a free movie promo meant to drive sales of Blu-ray players, including the PS3. Starting this weekend, customers can select 5 free Blu-ray movies from a list seen by Ars, with the purchase of any Blu-ray player.

Read More...

(InfoWorld) - Users are being advised to upgrade to newer versions of the RealPlayer and Helix Player multimedia products because of a critical security flaw.

The flaw could allow an attacker to gain control over a user's PC using a buffer overflow vulnerability, a memory problem that can allow unauthorized code to run on a machine, according to iDefense Inc.

The vulnerability was discovered last October but publicly disclosed Tuesday on iDefense's Web site.

Affected versions of the software include the 10.5 "gold" RealPlayer and any 1.x version of Helix Player, according to the French Security Incident Response Team (FrSIRT).

FrSIRT categorized the problems as "critical," adding that a denial-of-service attack is also possible.

RealPlayer users should receive notification of a "critical update," advising them to upgrade to the beta version of a new release, version 11, said Lewis Webb, a spokesman for RealNetworks. The new version can be downloaded from the RealPlayer Web site, although the site does not mention the security problem.

Current versions of Helix Player, an open-source version of RealPlayer, are available on its developer Web site.

For a successful attack, a user would have to be tricked into downloading from a Web site a malicious SMIL (synchronized multimedia integration language) file, a format used in rendering media, iDefense said.