It's the mother of all patch days for enterprise IT shops, with both Microsoft and Oracle releasing critical software updates Tuesday.

Microsoft kicked things off Tuesday morning with 11 security updates, including fixes for critical security bugs in Windows Active Directory, Internet Explorer, Excel, and the Microsoft Host Integration Server, which integrates Windows computers with IBM mainframes.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Security experts say that the Internet Explorer update, which fixes six bugs in the browser, is the one to watch. That's because it is rated critical for Internet Explorer 6 users running Windows XP -- a very common configuration in the enterprise.

But customers who are running Windows Active Directory on older Windows 2000 machines should move the MS08-060 Active Directory update to the top of their patch queue, said Don Leatham, a director of solutions and strategy at Lumension Security. Because an Active Directory server can be used to set permissions on other machines and manage users on the network, taking over this machine "would be the Holy Grail for someone trying to get into a company and totally disrupt it," he said.

Normally, Active Directory servers are blocked at the firewall, which means that an attacker would probably have to be on an internal network to mount an attack, said Eric Schultze, chief technology officer with Shavlik Technologies. But the bug "means any internal, disgruntled user can take complete control over Windows 2000 domains and domain controllers," he said via instant message.

Mitigating this concern, however, is the fact that Microsoft has not had any reports that this vulnerability has been exploited in an attack. While it's likely that an attacker could crash the Windows 2000 machine by exploiting this bug, "creating functioning exploit code to leverage remote code execution is difficult," Microsoft said in a note on its Web site.

In total, 20 security bugs were fixed in Microsoft's 11 updates. There were also six less-critical updates, rated "important," by Microsoft, for various Windows components, and a "moderate" patch to fix a bug that could let an attacker snoop information from an Office user.

Oracle's security updates, expected at 1 p.m. PT, will include fixes for 36 bugs in a range of Oracle products, including the company's flagship Database, its Application Server, E-Business Suite, and WebLogic server and development tools. Bug-fixes are also planned for the company's JD Edwards and PeopleSoft products.

It's unusual for both Microsoft and Oracle to be pushing out patches on the same day. Microsoft's security updates come out on the second Tuesday of every month, known as Patch Tuesday in the industry. But Oracle's patches are a quarterly affair, delivered on the Tuesday nearest the middle of the month. Typically, that puts the Oracle patches on the third Tuesday of the month, but this month, the Microsoft and Oracle release dates converged.

Tuesday's Microsoft updates came with a little more information for the company's customers too. They included a new section called the "Exploitability Index," designed to make it easier for Windows users to figure out which bugs are most likely to be exploited by hackers.

Microsoft has now rated all of its security updates with the following descriptions: "Consistent Exploit Code Likely," "Inconsistent Exploit Code Likely," or "Functioning Exploit Code Unlikely."

The company said that exploit code was likely for bugs in the critical Internet Explorer, Microsoft Host Integration Server, and Excel updates. One of the Internet Explorer bugs, which could let an attacker gain elevated privileges on a Windows machine, has already been publicly disclosed, but is not thought to have been used in real-world attacks, Microsoft said.

Another first: Microsoft gave certain security partners early access to its updates this month so that they could roll attack detection into their software as the patches were released Tuesday.

If you know one thing about Linux users, it's probably this: They enjoy the challenge of installing their operating system of choice on pretty much anything with a transistor in it. It's only a matter of time before they get around to replacing all those electronic singing greeting cards to make the sound of penguin mating calls.

So the news that Linux has been ported to the iPhone and the iPod touch shouldn't exactly come as a shock; please hold your cries of heresy until the end. OpeniBoot, which brings the Linux 2.6 kernel to the iPhone platform was developed by members of the iPhone DevTeam, the same folks who have long been working on cracking the iPhone's firmware every time a new version comes out.

[ Special report: IT's guide to the iPhone ]

The capabilities of OpeniBoot are still incredibly limited--at present, there's no support for writing to the flash memory, using the touch screen, wireless networking, the cell phone, sound, or the accelerometer. So if you thought that you'd be ending up with a fully operational Linux iPhone--or even a partially operational phone--I'm afraid you're going to be disappointed for now.

There's also some talk that this may pave the way for installing Google's Android OS on the iPhone, though as someone who's been using a G1 for a few days now, that seems like overhauling a Porsche to run like a Hyundai. But then again, there's always somebody who wants to prove that it's possible. So knock yourself out, guys.

Macworld is an InfoWorld affiliate

Consumer electronics giants Apple, Dell, Motorola, Microsoft, Nintendo, and Samsung have been slow to get serious about climate change, and are notably lagging behind, according to the latest edition of the Greenpeace Guide to Greener Electronics.

Many companies still show little engagement with the issue, which is a disappointment, according to Greenpeace International Climate & Energy campaigner Mel Francis.

[ For more on technology and the environment, see Ted Samson's Sustainable IT blog | Stay ahead of advances in technology with InfoWorld's Ahead of the Curve blog and newsletter. ]

"They are basically lagging behind on what we need for a good climate package. They haven't demonstrated any real commitment to cutting their own CO2 emissions, or to lobbying politicians to get a good deal post-Kyoto," said Francis.

"They assume that growth in their business also must therefore mean growth in their CO2 emissions. At Greenpeace we think that's not necessarily true," said Francis.

Greenpeace would like to see a lot more action going forward. "We are simply asking them to become climate leaders. They need to put their words into action and follow through on the claims they're making," said Francis.

Still, there are a few exceptions: Fujitsu Siemens Computers, Philips and Sharp support the level of cuts in greenhouse gases that science requires, according to Greenpeace.

In its latest Guide to Greener Electronics, Greenpeace gives Philips marks for committing to making absolute reductions in its own greenhouse gas emissions from the product manufacture and supply chain, which HP has done as well.

Both Philips and HP have also committed to making cuts in greenhouse gas emissions from their own operations. Nokia has done the same, said Francis.

Its overall ranking -- which takes into account company policies on toxic chemicals, recycling and climate change -- is topped by Nokia (Greenpeace likes its take-back program and use of renewable energy), followed by Sony Ericsson and Toshiba.

Philips and HP are in the bottom half of the list: good energy policies aren't enough, and both companies must improve how they handle e-waste, said Greenpeace.

Motorola, Toshiba and Sharp made the biggest moves up the chart, while the companies falling down the ranking are the PC brands Acer, Dell, HP -- and Apple, although it still gets a thumbs-up for improving its score, by better reporting on the carbon footprint of its products.

Apple's new iPods are also are now free of both PVC and brominated flame retardants, according to Greenpeace.

In general, the PC manufacturers need to improve the handling of e-waste.

Dell and Acer also need to reduce their use of toxic chemicals, said Greenpeace. Dell loses points for withdrawing from its commitment to eliminate all PVC plastic and brominated flame retardants by the end of 2009.

The use of toxic chemicals has in the past been a focus area for Greenpeace, but here there has been some positive movement. Consumer electronics companies have been allies to Greenpeace as it has tried to reduce the use of toxic materials and get legislation passed, according to Francis.

Nintendo remains in last place in the ranking, although it is taking small steps to remove or monitor the presence of some potentially toxic additives in the plastics it uses, Greenpeace said.

JetBrains released TeamCity 4.0, a continuous integration server and distributed build management tool featuring enhanced build capabilities, this week.?

Version 4.0 offers build chains support for breaking down a single build procedure into several parts that can be run on different build agents using the same sets of sources.?

Other improvements in version 4.0 include the ability to redo a particular build from a particular control revision, known as a history build, and improved authentication mechanics.

With version 4.0, statistics are offered for an entire project. Extensibility is enabled via a Java API, the company said. A tests reordering capability determines which tests are likely to fail and performs those first during the next project build.

TeamCity 4.0 automates routines and streamlines the software development process. Team communication is improved, and teams can implement agile methodology, JetBrains said. The product integrates with multiple IDEs.

Eclipse integration is highlighted as is integration with ClearCase, with Eclipse backing bringing IntelliJ Idea IDE capabilities to Eclipse users.

"Since its creation, TeamCity has been a key element in our own development process," said JetBrains CEO Sergey Dmitriev, in a statement released by the company. "The production TeamCity server at JetBrains is currently having over 50 build configurations in a build grid with more than 50 build agents, with literally every project and every developer using it on a daily basis

Version 4.0 also has an improved search engine and user interface improvements, JetBrains said. TeamCity automates more than 600 Java code inspections.

TeamCity 4.0 is available free to individual developers and small-to-medium-size teams. The free edition is restricted to 20 build configurations and three build agents.

TV network CBS has become the latest big name to have it Web site used to host malware, a security company has reported.

It appears that Russian malware distributors were able to launch another iFrame attack on a subdomain of the cbs.com site so that it was serving remote malware to any visitors. A user's vulnerability to the malware attack launched by the site hack would depend on a number of factors, including the type of security used on a PC, the operating system, and possibly the browser version.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

"This saga confirms our many previous warnings that obfuscated code posing a serious threat to Internet users' PCs," said Finjan CTO, Yuval Ben-Itzhak, who has devoted a fair amount of time in recent months to finding these hacks.

"Our Threats Reports have continued to identify the increasing use of code obfuscation as a means of bypassing traditional signature-based solutions in order to propagate malware," Ben-Itzak continued, taking a pop at the anti-virus products against which his company in part competes.

"It also highlights the fact that no web portal, no matter how high ranking, can be totally secure against a system hack and consequent infection of its visitors. Web users need to exercise caution at all times," he said.

Finjan has it had informed CBS of the issue, but that the Russian exploit server had in any case been taken offline, neutering the attack for the time being.

iFrame and SQL injection attacks on big-name Web sites have been one of the fashionable attacks of 2008, embarrassing a string of household names.

Techworld is an InfoWorld affiliate.

As President-elect Barack Obama prepares to take office, the task of upgrading the security of federal computer systems continues to be a work in progress.

Several cybersecurity initiatives launched during the Bush administration are still years away from being completed. Others are closer to completion but don't do enough by themselves to defend networks and systems against increasingly sophisticated attacks, according to IT security analysts.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

And, they said, resolving the security issues will require Obama to focus on more than just finishing the ongoing initiatives.

For starters, he needs to end the policy of tying federal cybersecurity efforts so closely to the post-9/11 war on terror, said Gartner analyst John Pescatore. "The terrorist attacks sent the Bush administration in the wrong direction" on cybersecurity, Pescatore said, adding that more immediate threats to federal systems have been overlooked.

Progress has been made, claimed Karen Evans, administrator of e-government and IT at the White House Office of Management and Budget (OMB). Evans said several security initiatives launched over the past few years are already making, or will soon make, a difference.

At the top of her list is a 2004 mandate by President Bush that required federal agencies to issue new smart-card identity credentials to all employees and contractors. But even that program hasn't been fully implemented. Agencies were supposed to finish issuing the new ID cards in late October, but most will need at least two more years to do so.

Other projects that Evans pointed to include a recent upgrade of federal networks to the more secure IPv6 protocol and the Trusted Internet Connections program, under which agencies are working to reduce their external network connections.

Evans also cited the Federal Desktop Core Configuration (FDCC) project, which is aimed at cutting costs and boosting security by requiring agencies to employ standard security settings on all Windows PCs.

Earlier this year, President Bush also put in motion a highly classified, multiagency program called the Cyber Initiative, with a goal of bolstering the nation's ability to detect and respond to cyberthreats against critical infrastructure targets.

Tom Kellerman, vice president of security awareness at Core Security Technologies in Boston, said the Cyber Initiative marked an "awakening" in Washington about the need for stronger cybersecurity efforts.

But Kellerman, who is a member of a commission that's developing cybersecurity recommendations for Obama, said much remains to be done. "The existing administration has only just begun to pay attention to cybersecurity" as a national security issue, he said.

Many of the ongoing initiatives are helping to improve security in bits and pieces, Pescatore said. But, he added, they were the result of "random edicts" from the OMB, not broad cybersecurity objectives.

Increasingly, new funding has been moving toward surveillance and monitoring initiatives related to fighting terrorism. While such efforts are needed, Pescatore said, they do little to protect federal agencies from cybercriminals.

Franklin Reeder, an independent consultant and former chief of information policy at the OMB, said the most important step for Obama is to use the government's purchasing clout to compel IT vendors to build more security capabilities into products. The FDCC program has shown that such an approach can be successful, Reeder said.

More spending is needed on security training, he added. He also thinks the feds must change how they work with the private sector on security. Existing programs, Reeder contended, "have just been convened by the government for the government."

This version of the story originally appeared in Computerworld's print edition. Computerworld is an InfoWorld affiliate.

Got something to add? Let us know in the article comments.