Trojan Exploits Unpatched IE Flaw

onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"

Wait a minute!

[ThatGeek]

You mean that IE isn't 100% dedicated to perfect security?

I don't see the point of these announcements. People who care about not getting hacked are using Firefox, Opera, Safari or Lynx at this point.

People who still use IE... well... they probably won't do much in response to this warning anyway.

Lets keep it fair!

[XMilkProject]

Before everyone gets too worked up bashing IE, as in the previous few articles on this exploit, let's remember that this problem was freezing/crashing FireFox 1.5 also.
Although the security threat isn't existent in FireFox, the browser still fails on these pages.

Now before I get flamed, let it be known that I think IE is a disaster and it's lack of standards compliance is one of the main things holding back proper advancment in web technologies, but we don't want to go and be unfair when our browser crashes too!

Re:Lets keep it fair!

[amrust]

I agree, fair is fair. But /. has been pretty good about making a big deal over "flaws" in Firefox, lately. It wasn't too long ago that I recall reading here almost once a week about some "new security vulnerability" in Firefox.

Of course, I'm bitter about IE this week anyway, after trying like crazy to get IE to work with Outlook Web Access, for my wife in her office at home. Ran every update Microsoft asked for, searched every Knowledge base article I could find. No help. How did I resolve it?

I switched my wife to Firefox, and it works just fine. One of her department heads (after telling them about how we fixed 'her email problem') basically replied "that's what we use at home, too. It's better and more secure, anyway."

Microsoft better watch out. Like it or not, Firefox is creeping up on them, little by little.

Re:Lets keep it fair!

[ZachPruckowski]

Although the security threat isn't existent in FireFox, the browser still fails on these pages.

"$RANDOM_WEBSITE crashes a browser" isn't worth a news article. It's worth a bug report, and a fix, either to the site or to the browser, but it isn't worth a news story. Major crashes and computers being remotely controlled, however, is a big deal.

MS updated Live but not IE...

[MWales]

So, the vulnerability is 6 months old, and it never got fixed as a minor risk. It got escalated to a highly critical risk (by almost all security bulletin systems) over 1 week ago, when a proof of concept came out showing that a malicious site could cause take control of PC remotely. Now there is even malicious trojans out on the net exploiting this hole in IE.

So in 1 week, what did MS do? The promoted their new Live product of course. Microsoft released a security advisory stating that no patch exists to fix the problem, but you can visit the Windows Live Safety Center and get the trojan removed by Microsoft. So instead of using some resources to fix the problem, they instead devoted resources to their "anti-virus" software, and promote it as the workaround. Well, one wonders, if this causes them to get significant visibility and traffic to their new product, why bother even fixing the original problem?