A Trojan horse program that has been around for about six years is now being used to steal system-administrator passwords, including those at banking and brokerage houses, according to security researchers. And it could be that six years from now we'll still be talking about Microsoft's aim to buy Yahoo's search business, which could involve obtaining the entire company and breaking it apart. Meanwhile, early adopters will undoubtedly be out in force on July 11 to be among the first to buy the new iPhone 3G.

1. Report says Microsoft readying new try for Yahoo: Bill Gates said on his way out of his full-time gig at Microsoft that he thought a deal for his company to buy Yahoo was unlikely, but a couple of days later the Wall Street Journal reported that Microsoft is looking for partners -- Time Warner and News Corp. were named -- to help it obtain Yahoo's search business. So, to quote baseball legend Yogi Berra, "It ain't over 'til it's over." And this one clearly ain't over yet.

2. Trojan lurks, waiting to steal admin passwords: The Coreflood Trojan horse program lurks until a system administrator logs on to an infected computer and then steals the password, using a Microsoft administration tool to spread malware on the network. The malware is being used to swipe banking- and brokerage-account usernames and passwords. So far, criminals have infected hundreds of thousands of computers with Coreflood, including more than 14,000 in one global hotel chain.

3. iPhone 3G set for 8 a.m. debut on July 11 and AT&T dishes on iPhone rate plans: AT&T announced prices for iPhone 3G service, which are, of course, more costly than plans for earlier iPhones. The carrier also announced that the new iPhones will be on sale at 8 in the morning, local time, on July 11. That's earlier than Apple retail stores open, though someone who answered the phone at the flagship San Francisco Apple Store wouldn't say if the opening will be moved up two hours and suggested that a reporter ring back later. (There has to be some element of the launch that maintains an air of secrecy, eh?)

4. Microsoft eases hardware terms for XP on low-cost PCs: Although June 30 marked the end of Microsoft offering most licenses for its Windows XP operating system, the company is still pushing the OS for use in low-cost PCs and it has eased hardware restrictions. Low-cost PCs with touchscreens, larger screen sizes and bigger hard drives now are eligible to use XP.

5. Oracle reveals BEA roadmap: Since Oracle closed its $8.5 billion merger with BEA, questions have abounded as to how the two companies' technologies will mesh -- or if they will even mesh at all. This week, Oracle finally laid out its plans of what to do with BEA's technology, saying it plans to make BEA's application server Oracle's strategic Java container and pledging continued support for BEA customers.

6. Long-awaited JBoss AS 5.0 moves closer to release date: The release candidate of the long-awaited JBoss Application Server 5.0 will be out soon, according a blog posting from the chief technology officer of Red Hat's JBoss division. Product development started three years ago and stretched out as the company decided to make more changes to the next version.

7. DOJ continues probe of Yahoo-Google partnership: The U.S. Department of Justice continues to investigate the proposed advertising partnership between Yahoo and Google, a DOJ spokeswoman said this week. The Washington Post reported Wednesday that the DOJ had just initiated a formal antitrust investigation around the proposed deal, but the spokeswoman said that the probe under way was begun June 16. Regulatory scrutiny was widely expected.

8. Adobe, Google, Yahoo enabling Flash searches: Yahoo and Google are working with Adobe to facilitate Flash pages being returned as search results. The move could mean that millions of rich Internet applications that had previously been all but invisible to search engines will now become serachable.

9. Mozilla's Firefox 3 sets geeky world record: The 8,002,530 downloads of Firefox 3 in the first 24 hours after the browser's release made it into the Guinness Book of World Records for the most downloads in that time period. Mozilla set out to achieve the first-ever such record. "Our community members came together and not only spread the word, but also took the initiative to help mobilize millions of people to demonstrate their belief that Firefox gives people the best possible online experience," said Mozilla Vice President of Marketing Paul Kim. Or maybe they just wanted to be part of setting the record ...

10. Gartner: Seven cloud-computing security risks: Cloud-computing customers need to ask hard questions about security and should think about getting a third-party security assessment before choosing a vendor, analyst firm Gartner recommends. A Gartner report, "Assessing the Security Risks of Cloud Computing," lays out the areas of security concern.

In an atmosphere where government fines for breaches in privacy regulations are increasing, SAP and Cisco unveiled this week Data Privacy Composite Application by SAP and Cisco at the SAP TechEd conference in Berlin.

The application supports compliance with a company?s data privacy policies as well as any external requirements from government agencies. If, for example, an admitting nurse in a hospital attempts to send an e-mail to friends that a celebrity is checking in to the hospital, the SAP-Cisco application would quarantine that e-mail and thus prevent it from being sent.

According to Sharada Achanta, senior director of SAP GRC Data Privacy Solutions, the average cost in the United States for fixing a breach in privacy and related fines is now about $4.8 million per incident.

The composite application is unique in that it takes its components from the SAP application layer and Cisco network layer, making it a network-wide solution rather than a point solution.

Using components from SAP's GRC (Governance Risk Compliance) application portfolio for attaching controls to business processes and documents as they relate to privacy, the controls are enforced at the network layer using Cisco's AON (Application Oriented Networking) middleware. AON adds message-level inspection to the network.

"The business process rules and controls that reside in the application layer and that are usually run by GRC managers have never before been integrated with IT network policies. That makes this unique," said Achanta .

"We are exposing network services at a network layer to the application layer, which means that the network can talk to the GRC process control application and vice versa," added Vaughn Miller, director for business development at Cisco.?

The combined solution would also prevent an employee from transferring data from the network on to transportable media like a USB stick.

Other privacy prevention capabilities include creating privacy policies based on location so that a U.S. employee would be restricted from accessing data residing in another country, and stopping e-mails sent to unauthorized employees or names outside of the company firewall. The solution requires NetWeaver, the BI module, and SAP GRC Process Control 2.5 for the SAP stack. From Cisco, users must have AON.

The solution is shipping now.

It's the mother of all patch days for enterprise IT shops, with both Microsoft and Oracle releasing critical software updates Tuesday.

Microsoft kicked things off Tuesday morning with 11 security updates, including fixes for critical security bugs in Windows Active Directory, Internet Explorer, Excel, and the Microsoft Host Integration Server, which integrates Windows computers with IBM mainframes.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Security experts say that the Internet Explorer update, which fixes six bugs in the browser, is the one to watch. That's because it is rated critical for Internet Explorer 6 users running Windows XP -- a very common configuration in the enterprise.

But customers who are running Windows Active Directory on older Windows 2000 machines should move the MS08-060 Active Directory update to the top of their patch queue, said Don Leatham, a director of solutions and strategy at Lumension Security. Because an Active Directory server can be used to set permissions on other machines and manage users on the network, taking over this machine "would be the Holy Grail for someone trying to get into a company and totally disrupt it," he said.

Normally, Active Directory servers are blocked at the firewall, which means that an attacker would probably have to be on an internal network to mount an attack, said Eric Schultze, chief technology officer with Shavlik Technologies. But the bug "means any internal, disgruntled user can take complete control over Windows 2000 domains and domain controllers," he said via instant message.

Mitigating this concern, however, is the fact that Microsoft has not had any reports that this vulnerability has been exploited in an attack. While it's likely that an attacker could crash the Windows 2000 machine by exploiting this bug, "creating functioning exploit code to leverage remote code execution is difficult," Microsoft said in a note on its Web site.

In total, 20 security bugs were fixed in Microsoft's 11 updates. There were also six less-critical updates, rated "important," by Microsoft, for various Windows components, and a "moderate" patch to fix a bug that could let an attacker snoop information from an Office user.

Oracle's security updates, expected at 1 p.m. PT, will include fixes for 36 bugs in a range of Oracle products, including the company's flagship Database, its Application Server, E-Business Suite, and WebLogic server and development tools. Bug-fixes are also planned for the company's JD Edwards and PeopleSoft products.

It's unusual for both Microsoft and Oracle to be pushing out patches on the same day. Microsoft's security updates come out on the second Tuesday of every month, known as Patch Tuesday in the industry. But Oracle's patches are a quarterly affair, delivered on the Tuesday nearest the middle of the month. Typically, that puts the Oracle patches on the third Tuesday of the month, but this month, the Microsoft and Oracle release dates converged.

Tuesday's Microsoft updates came with a little more information for the company's customers too. They included a new section called the "Exploitability Index," designed to make it easier for Windows users to figure out which bugs are most likely to be exploited by hackers.

Microsoft has now rated all of its security updates with the following descriptions: "Consistent Exploit Code Likely," "Inconsistent Exploit Code Likely," or "Functioning Exploit Code Unlikely."

The company said that exploit code was likely for bugs in the critical Internet Explorer, Microsoft Host Integration Server, and Excel updates. One of the Internet Explorer bugs, which could let an attacker gain elevated privileges on a Windows machine, has already been publicly disclosed, but is not thought to have been used in real-world attacks, Microsoft said.

Another first: Microsoft gave certain security partners early access to its updates this month so that they could roll attack detection into their software as the patches were released Tuesday.

Novell has agreed to buy Managed Objects, a McLean, Va., maker of BSM (business service management) software. Terms of the deal, announced Tuesday, were not disclosed.

BSM software helps companies map the performance of their IT systems against day-to-day business processes. The BSM market has become dominated by a handful of large players -- IBM, Hewlett-Packard, CA, and BMC -- but is also populated by a range of smaller ones, such as Compuware and FireScope.

[ Frustrated by your PC support? You're not alone. Get answers from Ed Foster in InfoWorld's Gripe Line blog and newsletter. ]

Novell has other software in the IT management arena, but in areas such as identity, datacenter, and asset management, as opposed to the type of service modeling and analysis tools sold by Managed Objects.

Therefore, it doesn't appear that existing Managed Objects customers have a lot to fear, in terms of the future of the vendor's product line, according to Michael Coté, an analyst with RedMonk.

"With most acquisitions, the thing you're always worried about is overlapping technology and that something will be eliminated. But Novell bought something they didn't have," Coté said.

The deal is expected to close during the first quarter of Novell's fiscal 2009, which runs Nov. 1 through Jan. 31. Novell plans to integrate Managed Objects into its Systems and Resource Management business unit.

Managed Objects' customers include Fidelity Investments and Verizon.

Novell plans to retain the majority of Managed Objects' employees, but "there's always redundancy that comes into these situations," said Richard Whitehead, director of marketing for datacenter solutions at Novell. He declined to say how many workers Managed Objects has or disclose any other details about the company's size.

As for Managed Objects' customers, "the big message there is that we do not want them to see any change in the support and the product road maps they've seen," Whitehead said. "We hope they even see improved capabilities from the acquisition."

A U.S. startup has emerged from stealth mode Tuesday and is set to introduce Windows data migration software aimed at mid-size businesses, a sector it feels desperately needs affordable data migration tools.

According to a survey carried out by AutoVirt, businesses are vastly over-provisioning their NAS resources. This in turn leads to low utilization rates, with the survey finding that Windows servers had average utilization rates of 20 percent, while Windows storage had average utilization rates of 30 percent.

AutoVirt says that this, coupled with the growth of unstructured data, and the fact that IT managers are frequently lumbered with manually doing data migration themselves, provides it with the chance to save mid-size businesses money by using its out-of-band file virtualization product, so IT managers can consolidate their storage resources, a message bound to appeal to any financial director in the current economic climate.

AutoVirt calls its offering the "first fully automated and transparent data migration solution geared specifically for networked Windows file systems." It is worth pointing out that the product is only available at the moment via an early adopter program that will run until April next year.

"We are pursuing the problem of migrating of unstructured file data, specifically in the Windows environment," said Klavs Landberg, AutoVirt's CTO and founder. "This is a very painful problem for users at the moment, and we have built a file virtualization platform to help."

"Users are suffering greatly from data migration," Landberg told Techworld. "Often, they have to take all their systems offline all weekend, babysit them, and manually do data migration. Come Monday morning, IT managers often have the additional headache of having to modify all of the clients."

Landberg said AutoVirt is looking to resolve this problem, as users want a transparent data migration solution that can automatically preserve security issues and not be limited to be a particular configuration. It must be easy to deploy, with little downtime required and no configuration changes, and no client software agents.

This led to AutoVirt creating its out-of-band offering that introduces no additional latency and offers unlimited bandwidth,with no network impact and no back-end configuration restrictions. Landberg says that AutoVirt can offer online data migration that is automated and completely invisible to clients.

Landberg says the startup is aiming squarely at mid-size businesses and is remarkably up front about how it will appeal to that sector. For example, for small businesses, AutoVirt's solution has an average selling price of $10,000 for up to 500 NAS users, which is more expensive than the rival offerings from SecureCopy and MigratePro.

However, AutoVirt's solution (for more that 500 NAS users) costs around $25,000 for midrange customers, and $100,000 for enterprise users, which is much cheaper, according to Landberg, than the competing products from the likes of EMC, F5 Networks, and Brocade.

This means that AutoVirt will appeal mostly to those companies with a single datacenter and single IT department.

Founded in 2007, AutoVirt also announced that it had received $500,000 in seed funding, and $4 million in Series A funding from Sigma Partners and Kepha Partners.

Techworld is an InfoWorld affiliate.

EMC said Monday it will support a line of Emulex network adapters that use Fibre Channel over Ethernet (FCoE), giving a big-name boost to an emerging technology that could become the common transport across an entire datacenter.

The Emulex LightPulse LP21000 family of converged network adapters (CNAs) are certified for use in SANs with EMC's Connectrix NEX-5020 FCoE switch and Clariion, Celerra and Symmetrix networked storage systems. The CNAs function as both a storage adapter and a LAN adapter for servers.

[ Get the latest on storage developments with InfoWorld's Storage Adviser blog and Storage Report newsletter. ]

EMC has tested the CNAs under its E-Lab program and, starting in the next few weeks, will provide support for them, said Joe Jervis, senior director of product marketing at Emulex.

FCoE combines elements of Fibre Channel, the major storage network technology of the past 10 years, with Ethernet. The new standard, being developed by INCITS (InterNational Committee for Information Technology Standards), won't be formally completed until next year but is beyond the addition of any major changes, Jervis said.

The LP21000 family, announced in April, offers 10Gbps performance and was designed in collaboration with Cisco to ensure interoperability with the networking giant's Nexus 5000 datacenter switch. By combining several kinds of connectivity on one component, the converged network adapters reduce the number of adapters and cables required in each server, cutting space and power requirements in the process, Jervis said.

FCoE should allow enterprises to move away from having their servers connected to storage via one type of network and to the LAN by another. Some large datacenters also have Infiniband to tie together clusters. FCoE can take the place of all three, reducing the need for specialized staff, said analyst Bob Laliberte of Enterprise Strategy Group.

Certifications like EMC's are a critical step forward for FCoE, because they will help to give enterprises confidence that the products will work with equipment already in place. EMC's seems to be the first certification of FCoE gear by any major storage vendor, Laliberte said, but he expects many more to follow before the end of this year.

"It's just another important step in the process to get FCoE into enterprises and getting it tested and deployed for future production use," Laliberte said. Storage administrators are typically conservative, and most new FCoE users will spend next year in testing before rolling out FCoE on their live networks, he said.

Analyst Steve Schuchart, of Current Analysis, thinks FCoE is just a transitional technology on the way to rearchitected datacenters that use Ethernet throughout. It's necessary to network the storage gear enterprises already have, but Ethernet will eventually replace Fibre Channel completely because it's getting both faster and cheaper. "That's a dagger to the heart," Schuchart said.

Still, "it's not like Fibre Channel is just going to dry up and blow away," he added, saying the typical replacement cycle for datacenter network equipment is five years. Certification by major storage vendors is a big step to get it going because they largely call the shots.

"If I was going to build a storage network, and I'm all EMC, I won't buy anything EMC doesn't bless," Schuchart said.