Trojan Exploits Unpatched IE Flaw

onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"

This is the perfect example

[this+great+guy]

...of why we say that MS doesn't care enough about the security of its users. MS should be even more committed into improving the speed of development & QA of security patches. This particular zero-day vuln is known since at least one week, and MS still hasn't distributed a fix. Delaying the release of a fix to Patch Tuesday doesn't make any sense when the vuln details are already publicly known. They should at least release beta patches (if the QA process is not yet complete) for users who NEED security and can afford potential stability problems. Other users can wait for Patch Tuesday if they want.

But one week is nothing compared to other vulns. Look at this list of other currently unpatched holes in MS products: http://www.eeye.com/html/research/upcoming/index.h tml. Some of them has been reported months ago and are still unfixed. This is inadmissible for a multi-billion dollars company.

Re:disable active scripting ...

[m50d]

And yet when someone suggests a firefox extension as a fix for something, that's all well and good.

Re:Fix just came out.

[MtViewGuy]

That would be great if you didn't have to update all your themes and extensions and/or wait for updated themes and extensions just to support Firefox 1.5. You'd think everyone would be more timely on this.