Trojan Exploits Unpatched IE Flaw

onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"

Re:disable active scripting ...

[tehshen]

I was trying to say that Microsoft should never offer this as a patch - it's not a patch, it's just turning off functionality, akin to fixing a leaky pipe by disconnecting the water. (Though as a temporary fix, it works)

Crapware

[PacketScan]

Would this be the 6 month old exploit that MS didn't feel was important enough to take care of? Complete Crap..

This is the perfect example

[this+great+guy]

...of why we say that MS doesn't care enough about the security of its users. MS should be even more committed into improving the speed of development & QA of security patches. This particular zero-day vuln is known since at least one week, and MS still hasn't distributed a fix. Delaying the release of a fix to Patch Tuesday doesn't make any sense when the vuln details are already publicly known. They should at least release beta patches (if the QA process is not yet complete) for users who NEED security and can afford potential stability problems. Other users can wait for Patch Tuesday if they want.

But one week is nothing compared to other vulns. Look at this list of other currently unpatched holes in MS products: http://www.eeye.com/html/research/upcoming/index.h tml. Some of them has been reported months ago and are still unfixed. This is inadmissible for a multi-billion dollars company.

Re:This is the perfect example

[Tschepsit]

This is inadmissible for a multi-billion dollars company.

No, this would be standard practice for a multi-billion dollars company. Left hand, meet...oh crap, where'd right hand go?

Re:Flaw?

[TCFOO]

Sounds more like a feature to me ;-)

Unless you don't want to see that stuff.

Think about this. 10 year old little Jimmy is on Yahoolagins playing Go Fish, and Delf-DH desides to work its majic jest as his mother walks into the room. The poor kid is going to have a sore rear end because of some malware and an IE security flaw.

Re:Wait a minute!

[supra]

> People who care about not getting hacked are using [a non-IE browser]
Unfortunately there are still some sites that require IE, if for no other reason than ActiveX.
A friend works w/ a site whose interface is primarily ActiveX. He doesn't want to use IE, but at least for that site, it's his job if he doesn't. That starts the snowball effect (personal settings, bookmarks, default browser, etc) which makes it harder to *only* use IE for that particular site.
Sad but true.

Re:Fix just came out.

[realnowhereman]

I like en_GB as much as the next man; but I'd hazard a guess that en_GB is lower priority as we can get by perfectly well with en_US. Slovenia, Norway and Finland - probably not so much.

Re:Fix just came out.

You'd be surprised.

Re:disable active scripting ...

[m50d]

And yet when someone suggests a firefox extension as a fix for something, that's all well and good.

Re:Fix just came out.

[MtViewGuy]

That would be great if you didn't have to update all your themes and extensions and/or wait for updated themes and extensions just to support Firefox 1.5. You'd think everyone would be more timely on this.

3rd time reported, and its still not news

[GISGEOLOGYGEEK]

Thanks slashdot, you've now reported this non-story 3 times.

How about we start reporting every little problem with non-MS products 3 times each ... instead of maybe reporting every 5th problem.

It's time for a little balance here!