Security Fix

Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks.

Bullitt County Attorney Walt Sholar said the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country (some individuals received multiple payments). On June 29, the county's bank realized something was wrong, and began requesting that the banks receiving those transfers start reversing them, Sholar said.

"Our bank told us they would know by Thursday how many of those transactions would be able to be reversed," Sholar said. "They told us they thought we would get some of the money back, they just weren't sure how much."

Sholar said the unauthorized transfers appear to have been driven by "some kind computer virus." Security Fix has been communicating with a cyber crime investigator who is familiar with the case. What follows is a description of the malicious software used, a blow-by-blow account of how the attackers worked the heist, as well interviews with a couple of women hired to receive the stolen funds and forward the money on to fraudsters in Ukraine. This case also serves as an example of how e-mail scams can be used to dupe unknowing victims in serving as accomplices in their plan.

According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.

Google published a report on spam rates this past quarter indicating that spam volumes declined roughly 30 percent following the Federal Trade Commission's takedown of the troubled online hosting provider 3FN early last month. Google says spammers have already made up a significant amount of ground, climbing 14 percent from the initial drop.

The stats differ from other figures Security Fix collected about the impact of the 3FN takedown. Google's spam data was drawn from Postini, the company's e-mail security and archiving service.

The following graph shows Postini's view of spam volumes over the past six months:

Read more about Google's view of spam trends, at their quarterly report, available here.

This past week has been a bustling one for cyber justice. The Federal Trade Commission announced a settlement in its ongoing case against scareware purveyors; a notorious hacker admitted stealing roughly two million credit card numbers; the Justice Department has charged a software developer from Arkansas with launching a series of debilitating online attacks against several online news sites that carried embarrassing stories about him. Finally, a federal appeals court decision gives security vendors added protection against spurious lawsuits by adware companies.

-- Last week, the FTC said it had settled with James Reno and his company ByteHosting Internet Services LLC. Both were named in the commission's broad sweep last year against purveyors of "scareware," programs that uses bogus security alerts to frighten people into paying for worthless security software.

The settlement imposes a judgment of $1.9 million against Reno and Bytehosting, yet the court overseeing the case suspended all but $116,697 of that fine, "based on the defendants' inability to pay the full amount."

Six other defendants allegedly involved in the scareware scams face pending charges from the FTC. One of the defendants, a San Francisco man named Sam Jain, is currently the subject of a federal criminal prosecution in California. According to Jain's attorneys, federal prosecutors in Illinois also are preparing to indict him on computer fraud charges related to the scareware distributed by his company, Innovative Marketing. Jain is currently a fugitive from justice.

-- From Wired.com's Kevin Poulsen comes what may be the penultimate chapter in the prosecution of so-called superhacker Max Ray Butler, also of San Francisco. Butler, 36, faces up to 60 years in prison after pleading guilty to federal wire fraud charges that "he stole roughly two million credit card numbers from banks, businesses and other hackers, which were used to rack up $86 million in fraudulent charges."

Poulsen's story on Butler in Wired Magazine from December 2008 is a page-turner that chronicle's the hacker's successful bid to hack into, take over and ultimately consolidate several online forums dedicated to the theft and sale of stolen credit card numbers. One of the forums he hacked, called "Darkmarket," turned out to be a full-blown undercover sting operation set up by the FBI.

-- In a criminal complaint unsealed yesterday in a New Jersey federal court, the Justice Department charges a software developer from Arkansas with using botnets -- armies of hacked PCs -- to flood several targeted Web sites with so much data that they were at least temporarily unable to accommodate legitimate visitors.

The government alleges that between July 2007 and March 2008, Bruce Raisley launched a series of denial-of-service attacks against Rollingstone.com, and several other Web sites. Among those attacked was perverted-justice.com, a site dedicated to publicly exposing and shaming men who solicit sex from underage boys and girls online. Perverted-justice.com is perhaps best known for its connection to the Dateline NBC show "To Catch a Predator."

Charging documents note that Raisley apparently targeted those two sites and seven others for their publication of stories that retold an embarrassing chapter of his life. According to a July 2007 Rolling Stone article about perverted-justice.com founder Xavier Von Erck, Raisley himself was a former volunteer who helped perverted-justice members ensnare new targets.

At some point, the Rolling Stone article says, Raisley had a falling out with perverted-justice, and launched his own online campaign to depict the site's members as an out-of-control vigilante group. According to the Rolling Stone article, Von Erck "exacted a particularly sadistic form of revenge against" Raisley:

Posing as a woman named Holly, Von Erck began an online flirtation with Raisley, who was smitten enough to leave his wife and rent a new apartment. On the day Raisley went to pick up Holly at the airport, Von Erck sent a friend to snap his photo and posted it with a warning: "Tonight, Bruce Raisley stood around at an airport, flowers in hand, waiting for a woman that turned out to be a man. . . . He has no one. He has no more secrets. . . . Perverted-Justice.com will only tolerate so much in the way of threats and attacks upon us."

Raisley's court-appointed attorney could not be immediately reached for comment.

-- On Friday, the U.S. Ninth Circuit Court of Appeals in Seattle upheld a decision to dismiss a case brought in 2007 by Bellvue, Wash., based adware maker Zango. The company had sued anti-virus maker Kaspersky, charging that Kaspersky interfered with its business by removing Zango's adware without first alerting the user.

The appeals court affirmed that Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable.

Eric Howes, director of malware research at computer security firm Sunbelt Software, said admittedly, this decision is not nearly as consequential for anti-malware providers as it would have been three or four years ago, when adware vendors such as Zango and Direct Revenue were regularly threatening anti-spyware providers with legal action and peppering them with cease-and-desist letters on a weekly basis.

"It's a been a while since we received any serious legal threats, although we do still get the occasional protest from software developers whose apps we target as 'low risk,' potentially unwanted programs or tools," Howes wrote on the company's blog. "Nonetheless, the decision is a welcome one, as it extends to Sunbelt and other anti-malware providers the kind of legal cover we need in order to provide our customers and users with strong protection against unwanted, malicious software."

Every so often, a new piece of malicious software comes along that introduces a subtle yet evolutionary technological leap, a quickly-mimicked shift that allows cyber crooks to be far more stealthy in plying their trade. According to research released last week, this happened most recently in the realm of click fraud, a rapidly growing problem that inflates online advertising costs for legitimate companies and ad networks.

For years, hackers have used malicious software to perpetrate click fraud by hijacking the results displayed when users search for something online. The trouble is, these scams can be rather clumsy: Victims often figure out pretty quickly that something is wrong, usually because their searches are redirected to an unfamiliar search portal, as opposed to their regular default search provider.

But a new Trojan horse program being distributed by tens of thousands of recently hacked Web sites hijacks search results so that Google.com users can scarcely tell that their Web searches are being funneled through third-party sites.

Earlier this month, security experts at Websense warned that some 40,000 Web sites were hacked and seeded with code that bombards a visitor's PC with a virtual kitchen sink worth of browser exploits, all in an effort to install a Trojan horse program. Websense named this mass compromise "Nine-Ball," and the Trojan dropped on victimized PCs was thought to install a range of malicious software.

Joe Stewart, director of malware research at SecureWorks, an Atlanta-based computer security firm, has found among the malware installed by the Nine-Ball Trojan was a click fraud Trojan that SecureWorks has nicknamed "FFsearcher," after one of the Web sites used in the scam (ffsearcher.com).

According to Stewart, FFSearcher is capable of hijacking Google search engine results on both Internet Explorer and Firefox browsers. It takes advantage of Google's "Adsense for Search," application programming interface (API), which allows Web sites to embed Google search results alongside the usual Google AdSense ads. This Google Custom Search widget is used by tens of thousands of legitimate sites to generate ad revenue. For instance, let's say example.com uses this widget on its site, and someone browsing that site uses the built-in widget to search for some content. If that visitor then happens to click one of the ads displayed in the embedded search results, example.com will earn a small sum of money for that referral.

Stewart said the authors of FFSearcher realized they could use a Trojan to convert every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site).

Former Department of Homeland Security cyber chief Rod A. Beckstrom has been tapped to be the new president of the Internet Corporation for Assigned Names and Numbers (ICANN), the California based non-profit that oversees the Internet's address system.

Most recently, Beckstrom was director of the National Cyber Security Center -- an organization created to coordinate security efforts across the intelligence community. Beckstrom resigned that post in March, citing a lack of funding and authority.

Beckstrom joins ICANN as the Internet governance body faces some of the most complex and contentious proposed changes to the Internet's addressing system in the organization's entire 11-year history. For example:

-- The United States is under considerable pressure to give up control over ICANN and turn it over to international supervision and management. ICANN currently operates under a Joint Project Agreement with the U.S. government, but that agreement is due to expire at the end of September.

-- Currently, there are 21 so-called "generic top-level domains," such as dot-com, dot-net, dot-biz, and dot-org. Under pressure from domain speculators and many businesses, ICANN is in now in the process of radically expanding the number of new gTLDs to include potentially hundreds more, to include things like brand names (e.g., dot-nike or dot-google), places (.e.g., dot-berlin or dot-ohio), or even sports franchises (e.g., dot-yankees). Intellectual property rights lawyers and some business groups have opposed expanding the number of gTLDs without first putting in place a system for addressing disputes over domains that could violate trademark rights.

-- ICANN is moving to implement so-called "internationalized domain names," which will allow the creation and display of domain names written in different alphabets and languages, such as domains featuring Chinese and Russian characters. IDNs are hardly controversial, but they do hold the potential to give scam artists like phishers a whole new way to trick people into visiting scam sites. Consider, for example, that the Cyrillic "a" and the Latin "a" may look alike to humans, but they are interpreted differently by machines. As a result a domain name registered by fraudsters that includes a mix of Cyrillic and Latin letters might look like a familiar brand when presented in a Web link, but lead to a counterfeit version of that brand's Web site designed to steal customer data.

Beckstrom was voted president of ICANN at the group's meeting in Sydney, Australia this week. On Thursday, I had the opportunity to speak via phone with Beckstrom about why he wanted this job, and what he hopes to do with it. Here are some excerpts from that interview:

BK: Congratulations on being picked.

Beckstrom: Thank you. You know, it's funny...I just got an e-mail from a friend who said he thought it would be hard to imagine me finding a more difficult job than running the NCSC [at DHS], but congratulating me on finding something even more impossible than that job [laughs].

BK: Yes. ICANN has a reputation for being difficult to manage and come to a consensus on even seemingly simple issues. Some people have likened it to herding cats. What made you want this job in the first place?

Beckstrom: Well, I've herded cats for a lot of my career. In fact, for 14 years, I ran CATS Software Inc., which had 35 Ph.Ds on the staff and two Nobel Prize winners on the board of directors, and let me tell you having that much brainpower in the shop is seriously like herding cats. So, maybe I have some experience there.

BK: What is your impression of ICANN and this process as you've watched the various communities coalesce down there for this week's meeting?

Beckstrom: I'm a bit overwhelmed by the tremendous complexity of issues on the table. This is perhaps the most complex, multi-stakeholder environment I've ever seen. So I have a great appreciation for that and a fascination with that, but I certainly wouldn't even claim to have a firm grasp on all of this yet. And that's one of the things I'll need to be learning as I grow into this role.

Adobe Systems Inc. on Tuesday issued a software update to fix a critical security flaw in its Shockwave Player, a commonly installed Web browser plug-in. According to Adobe, a malicious or hacked site could use the security hole to install malicious software if the visitor merely browses the site with a vulnerable version of the media player software.

The flaw exists in Shockwave Player (also known as Macromedia Shockwave Player) version 11.5.0.596 and earlier. To find out whether Shockwave is installed and which version may be on your PC, visit this site.

In a posting to its security blog, Adobe said it is not aware of any exploits in the wild for this vulnerability.

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart and install Shockwave version 11.5.0.600, available here.

Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive. It makes you wonder: Did Symantec come up with this marketing tactic on their own, or did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update.

Microsoft on Tuesday released a beta version of its new free anti-virus offering, Microsoft Security Essentials (a.k.a "Morro"). My review, in short: the program is a fast, easy to use and unobtrusive new addition to the stable of free anti-virus options available today.

MSE is basically the next generation of Microsoft's Windows Live Onecare anti-virus and anti-spyware service, but without all of the extras, such as a firewall, data backup solution or PC performance tuning (Microsoft announced in Nov. 2008 that it would stop selling Onecare through its retail channels at the end of June 2009).

The toughest part was getting the program installed. MSE can run on Windows XP, Vista or Windows 7 (both 32-bit and 64-bit versions), but it failed to install on an XP Pro system I tried to use as my initial test machine -- leaving me with nothing more than a failure message and cryptic error code that didn't turn up anything in an online search.

Fortunately, it installed without issue on my Windows 7 Beta system. Interested users should note that installing MSE requires that the would-be user's system passes Microsoft's Windows Genuine Advantage anti-piracy tool, which checks to make sure it is being installed on a licensed version of Windows. Would-be users also will need to register for or already have a free Windows Live (or Hotmail) account in order to download the program.

After installation, MSE spends a couple of minutes downloading additional files, and then prompts the user to perform a "Quick Scan." True to its name, that scan took less than 10 minutes on my test system. A full scan, however, took about 45 minutes on a relatively new install of Windows 7.

Anti-virus products are notorious for sucking up system resources, but you'd be forgiven for forgetting this program is even running. It barely used more than 4 MB of system memory for the entire time I tested it, including during scans.

By default, MSE scans archived files (.zip, e.g.), and creates a system restore point before deleting any files that set off alarms. The one scanning option not checked by default is to scan removable drives -- such as USB drives -- for viruses. But users can enable this option.

The program is not just an on-demand scanner: It includes real-time protection, which Microsoft says "alerts you when viruses, spyware and other potentially unwanted software attempts to install itself or run on your computer."

In addition, MSE monitors file and program activity on your computer, and automatically scans all downloaded files and attachments. If it finds something, it will ask you what to do with the suspect file, and if the user takes no action after 10 minutes, Microsoft will decide what to do with the file(s) according to its default actions. Out of the box, it schedules a scan every Sunday at 2:00 a.m., but only if the PC is idle at that time.

A great deal has been written so far about the potential for MSE to unseat established giants in the anti-virus industry. It's too soon to say whether that will happen, or how Microsoft's new offering will measure up in tests against real-life malicious software, tests that are beyond the scope of this review.

Personally, I doubt whether MSE will have much of an impact on the anti-virus market as a whole. If anti-virus industry players fall by the wayside in the coming years, it will be because they either get gobbled up by their (non-Microsoft) competitors, or they fail to adapt to the latest threats.

Each time the issue of Microsoft throwing its weight around in the security space arises, it invariably raises the same issues of trust, privacy and efficacy. Allow me to address a few of the common themes, in the context of MSE:

Microsoft made the operating system, so it's probably best equipped to produce software capable of defending its weaknesses: The truth is, Microsoft is continually defending the weaknesses in Windows. Every month, it ships new patches to fix security and stability problems in its software that it didn't know about until bad guys or researchers unearthed them and proved they were exploitable. What's more, Microsoft is in no more advantageous a position vis-a-vis other anti-virus makers to tell which tricks the bad guys will pull out of their hats next.

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world's top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky (pictured at right, courtesy of Spamhaus) and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act. Under the terms of his plea agreement, Ralsky faces as much as 87 months in prison and a $1 million fine, while Bradley could get as much as 78 months in prison and a $1 million fine under the federal sentencing guidelines.

The Ralsky plea caps a long effort by the government to nab one of the most prolific spammers. In September 2005, the FBI raided Ralsky's home, but it wasn't until early 2008 that the government indicted Ralsky and 10 others tied to a scheme to manipulate Chinese stock prices through the use of junk e-mail.

The defendants admitted to sending tens of millions of e-mails in a bid to pump up the prices of Chinese penny stocks, and then selling the stocks at inflated prices. According to court records, Ralsky and his accomplices blasted out their spam through botnets, using tens of thousands of hijacked PCs to relay their junk messages. The government says they earned as much as $3 million during the summer of 2005 through the scams.

Richard Cox, chief information officer at Spamhaus.org, a group that tracks spammers and spam activity, said his organization has followed Ralsky orchestrating spam campaigns as far back as 1997.

"This has been a long time coming," Cox said. "Ralsky has been identified as one of the key drivers of a lot of development in the spam world, and was among the first to commission mass-mailing Trojans to help develop spam botnets."

Cox said stock spam has taken a big hit since Ralsky's indictment, but that even 87 months -- if he actually receives that much -- would be far too lenient a sentence for someone who caused so much misery for computer and network owners and operators. "If you look at the fact he was paying money to people to develop botnets - and the cost to millions of innocent people around the world who had to pay lots of money every time they had to repair their computer to fix the damage caused by his spam Trojans -- even the maximum time he could get under this agreement is not nearly enough."

Prior to the government's case against him, Ralsky tangled with several Internet service providers. Verizon Communications Inc. sued him in 2001, charging that he clogged its network with millions of e-mail solicitations. Ralsky settled that lawsuit in 2002, pledging to no longer spam Verizon's customers.

Also pleading guilty in connection with the Ralsky case are:

-John S. Bown, 45, of Fresno, Calif., the chief technology officer for the spamming operation. He faces up to 63 months in prison and a $75,000 fine.

-William C. Neil, 46, of Fresno, who built and maintained a computer network used to transmit junk e-mails as part of the conspiracy. Neil is looking at as much as 37 months in prison and a $30,000 fine.

-James E. Fite, a 36-year-old from Culver City, Calif., a contract spammer, who hired others to send spam. Fite is facing up to two years in prison and a $30,000 fine.

All five defendants are scheduled to be sentenced on Oct 29, 2009.

For the most part, cyber gangs that create malicious software and spread spam operate as shadowy, exclusive organizations that toil in secrecy, usually in Eastern Europe. But with just a few clicks, anyone can jump into business with even the most notorious of these organizations by opening up the equivalent of a franchise operation.

Some of the most active of these franchises help distribute malicious software through so-called pay-per-install programs, which pay tiny commissions to the franchise operators, or so-called affiliates, each time a supplied program is installed on an unsuspecting victim's PC.

These installer programs will often hijack the victim's search results, or steal data from the infected computer. Typically, affiliates will secretly bundle the installers with popular pirated software titles that are made available for download on peer-to-peer file-trading sites. In other cases, the installers are stitched into legitimate, hacked Web sites and quietly foisted upon PCs when people visit the sites with outdated, insecure Web browsers.

Experts say one of the longest-running and most successful of these pay-per-install operations is an organization called "InstallsCash," which pays distributors to spread a variety of invasive programs. After you've signed up for a free account, InstallsCash will provide you with an installer file (.exe). They will then pay you between $5 and $140 per 1,000 installs (with higher rates for installations in countries like the United States, United Kingdom and Italy).

InstallsCash tells affiliates that the program they're distributing merely changes the victim's homepage, adds a browser toolbar, and installs a porn dialer, which hijacks the victim's dilal-up modem to make expensive 1-900 phone calls. Working with security researchers, Security Fix signed up for an account at IntsallsCash to learn what their affiliates were really installing.

What we found was the installation program given by InstallsCash to distributors installs some of the most sophisticated and aggressive malicious software in circulation today.

According to one analysis by researchers at Atlanta based managed security services firm SecureWorks, an InstallsCash installer delivered to affiliates in mid-May dropped no fewer than 15 pieces of malware on victim systems, including Cutwail, one of the most sophisticated and prolific spam bots on the planet. Also included were variants of the Koobface worm -- which spreads via social networking sites like Facebook (hence, the anagram of Facebook), as well as the Zeus or PRG Trojan, a sophisticated password stealing program.

Separately, experts with security research firm Team Cyrmu looked at a different installer offered by InstallsCash. Team Cymru found that the installer seeded PCs with quite a different crop of malware, including several Trojan horse programs, a rootkit, a virus and backdoor called Virut, and a generic spam Trojan that turns the victim PC into a spam relay.

No offices or phone numbers are listed on the group's Web site. On its "About Us" page, Installscash lists six different instant message accounts that can be used to contact them. SecurityFix left messages at all six. One who did answer, named "Install_Support," said "Ask me your questions, maybe I will answer,", but then declined to answer any of them, except to say that he or she was located in Ukraine.

A publicly-accessible test page on the group's Web site indicates that the last person to administer the site did so via an encrypted connection from a DSL account in Kiev, Ukraine.

It is illegal in most countries to distribute malicious software, such as computer worms, with the intention of infecting computers without the owner's permission

Michael LaPilla, director of malicious code operations for iDefense, a Sterling, Va. based security intelligence group owned by Verisign, said InstallsCash has a long and storied history, albeit under different names: The affiliate program previously went by the names Iframedollars and Iframecash, and for a long time was among the most visible arms of the infamous Russian Business Network.

"They've been active for so long," LaPilla said. "They just took new names after too much public attention got their old domains shut down."

LaPilla said exactly what that installer program will plant on infected machines varies from day to day, based on two factors: Where the victim lives, and which cyber criminal gangs are paying InstallsCash to distribute malware that week.

In 2007, iDefense analysts launched an investigation to see whether the malware being downloaded by the InstallsCash installer changed depending on geographical location of the victim PC. Sure enough, iDefense found that most of the PCs receiving password-stealing Trojans sought credentials for financial institutions specific to the victim's region.

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit.

The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008.

Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology.

"It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

While the center found the overall number of breaches is down significantly from the same period last year (342), that doesn't mean that fewer businesses and consumers are being affected by data breaches (around 12 million so far this year). Foley said fewer than half of the entities that disclosed a breach so far this year disclosed how many total victims there were.

The center found that 14 percent of breaches this year were due to data contained on lost or stolen digital media, such as a laptop or USB thumb drive., while 11.6 percent of the breaches involved personal data that was inadvertently exposed or published.

Please join me today at 11 a.m. ET for Security Fix Live, when Yours Truly endeavors to answer your questions about all things tech, security and privacy related. If you can't join us then, drop a question in the hopper now. The transcript will be archived here.

Apple on Wednesday released the much anticipated 3.0 update for the iPhone, bundling at least 46 security fixes into a new version of the iPhone operating system that includes essential functionality such as cut-and-paste and Spotlight search.

Included in the 3.0 bundle are security patches for vulnerabilities in a broad range of iPhone components, including Safari and Mail. The mail flaw, for example, could allow a malicious app or attacker to place a phone call without user interaction. A host of other security holes fixed by this update could allow a remote attacker or Web site to run malicious code on the device or cause it to crash.

The update is available only through iTunes. My colleague Rob Pegoraro has a more in-depth post about the new features built into this update, but he was having trouble grabbing the update yesterday. Apple says that the automatic update process may take up to a week depending on the day that iTunes checks for updates. Late last night, I was able to download and install the 3.0 update by clicking the "Check for Updates," option in iTunes. The whole process took close to an hour to complete. Note that the update may not be offered if you are not running the latest version of iTunes (8.2).

The update went smoothly for the most part. It inserts a new search screen directly before the main apps page, but in doing so it appears to have screwed up the positioning of my apps, causing a single app to take up an entire screen as I page through them. Still, the search function works well and is a long-overdue feature.

What about you, dear Security Fix readers? Experience any problems applying this update? Leave a note in the comments section below.