Microsoft Corp. has slapped a 'buyer beware' tag on a third-party patch for the zero-day Windows Metafile flaw and promised that its own properly tested update will almost certainly ship Jan. 10.

The company's latest guidance comes days after an unofficial hotfix from reverse-engineering guru Ilfak Guilfanov got rare blessings from experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp.

In a blog entry, Johansson said enterprise IT administrators must carefully consider the risks involved before thinking of applying Guilfanov's hotfix. "The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high."

F-Secure, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded.

There is no solid workaround against emerging WMF exploits. Locking down WMF files on the gateway and building network detection signatures may mitigate known threats. The impact of attacks may also increase.

Malware authors have produced a virus which poses as a test version the latest, as yet unreleased, version of MSN Messenger. The Virkel-F masquerades as "MSN Messenger 8 Working BETA" and is available from a bogus site as a supposedly leaked early version of the software.

Windows users who download and run the malware (given the name BETA8WEBINSTALL.EXE by hackers) will fail to get the promised chat client. Instead their existing MSN Messenger client will start to send download links to everyone in their contact lists in a bid to encourage others to become infected. Infected machines will also become clients in a botnet network of compromised PCs.

The social engineering trick uses interest in test version of Windows Live Messenger 8 - access to which is being auctioned on eBay - to hook victims.

Symantec has stopped selling a password auditing tool to customers outside the US and Canada, citing US Government export regulations.

Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head.

Beyond confirming that "the statement you have received from your reader is correct", Symantec declined to field questions on the rationale for its policy and whether it applies to other products. Any US government policy to impose export regulations on security technologies would be futile since, to cite only one reason, many security firms are based outside the US and therefore unaffected by such regulations.

A computerized analysis of 800 films demonstrated a significant level of accuracy in gauging their financial success. The software predicted the right revenue category for the film 37 percent of the time. Seventy-five percent of the time, the film ranked within one category of its actual performance.

Professor Ramesh Sharda, an information systems specialist at Oklahoma State University, has developed a computer program to help Hollywood predict the potential success -- or failure -- of a film.

Sharda selected seven criteria on which to predict a movie's potential viability in the marketplace. Those include its rating by censors (e.g. G, PG, R), strength of the cast, genre, competition from other films at the time of release, special effects, whether it is a sequel, and the number of theaters in which it will show.

Hackers have taken the first step towards breaking the anti-piracy system on Microsoft's Xbox 360 game console.

Information about the work of Team PI Coder was posted to a Dutch piracy site along with the raw data from the games. There was also links to a small program the group produced that helps to extract the data.

The crackers have not managed to get the data off game disks, instead they have dug out the version of the game that the Xbox 360 creates when gamers start playing.

The crackers said they were releasing the raw data to help other hacking groups start the task of working out how the Xbox 360 tries to stop piracy.

"So the first task is done," wrote Team PI in the information files. "We hope this encourages all hackers, coders and crackers out there to take up the challenge."

PearLyrics is a program that displays the lyrics of the currently-playing track in iTunes: it gets the lyrics from the ID3 tag in the MP3 file, or if they aren't in there, it searches for them on a few different web sites, and then saves them into the MP3s.

It's very handy: I managed to use it to download the lyrics for almost half of my music collection in one fell swoop.

Except that the author got a "Cease and Desist" letter from Warner/Chappel Music, who seem to think that his program -- which is, basically, nothing more than a specialized web browser -- is somehow in violation of their copyrights.

A finnish computer hacker is going to break into the Diebold Election System with the blessing of California's secretary of state.

Secretary of State Bruce McPherson has already refused Diebold certification after 20 percent of the new, voting machines malfunctioned during a July test, however now he wants to make sure that the machines are secure.

Last May, Hursti tested a Diebold system and changed the voting results. He also inserted a new program that flashed the message "Are we having fun yet?" on the computer screens.

He confirmed that if someone has the same access as an employee of the election office it was possible to enter the computer, alter election results and exit the system without any physical record. Now McPherson wants to see this test for himself.

Hursti will use a randomly selected voting machine from one of the 17 counties that use a Diebold system. Diebold wanted it to use a machine that it provided, however that idea was vetoed by the state, we assume because it didn't want a machine designed to cheat the test.

RIAA president Cary Sherman has backed Sony's use of spyware rootkits and claims that other companies do it all the time.

Sherman said that music corporations have the same right to protection as movie studios, video game makers, or software companies.

He said that there was nothing unusual about technology being used to protect intellectual property. He said that you can't make an extra copy of Windows or virtually any other software. Why should CDs be any different?

ZDNet reported earlier this week that Microsoft was thinking of offering an Ad-Supported version of Windows. A blog post by John Carroll offers some reasons why Ad-Supported Windows makes sense. From the article: '4. More revenue through targeted marketing: The holy grail of marketing is to target an audience with the sort of ads that most appeal to them. Sending a bunch of male programmers advertisements for breast enlargement isn't terribly useful. Sending a bunch of male programmers advertisements for a four hour extended version of Star Trek: The Wrath of Khan is useful.' Is there any situation where you can see yourself open to the possibility of using an Ad-Supported operating system?