Trojan horse rides on unpatched IE flaw

Attackers are taking advantage of an unpatched vulnerability in Internet Explorer to target users of the ubiquitous Web browser, Microsoft warned late Tuesday.

Malicious software that exploits the security flaw to download a Trojan horse to vulnerable computers has been found on the Internet, according to Microsoft. Detection and removal capabilities for the "TrojanDownloader:Win32/Delf.DH" have been added to Microsoft's recently launched online security-scanning tool.

"Customers can visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove this malicious software and future variants," Microsoft said in its updated security advisory on the issue.

The security bug, exploited by the Trojan downloader, was originally reported in May. The bug was thought to only allow for a denial-of-service attack, which would cause IE to close. However, experts last week raised an alarm on the issue because it was discovered that it could be used to remotely run code on a vulnerable computer.

Microsoft has yet to provide a fix for the vulnerability, but is working on a patch, according to the security advisory. Security-monitoring company Secunia deems the problem "extremely critical," its rarely given highest rating.

The vulnerability puts computers running Windows 98, Windows Millennium Edition, Windows 2000 and Windows XP at risk. An attacker could gain complete control of vulnerable systems by hosting malicious code on a Web site. Once an IE user visits the site, the malicious program would run without any user interaction.

Microsoft offers several workarounds to deflect attacks. These include changing IE settings to disable active scripting or prompt the user before running such scripts.

[Hobo453567]

Considering

Considering the fact that everyone jumps on Sony when they screw up I am surprised there were no comments here. MS has never released a finished product and yet it seems as though people have accepted that and are okay with it. Why do people jump all over anyone but MS when they screw up? Is it because MS usually tells people they screwed up? I am just tired of people immediately jumping on other companies but being "okay" with what MS does.

[ddesy]

Not okay

I can't say I'm okay with what Microsoft did. I never am okay with their product quality. I think I can speak for many in saying, however, that when MS screws up it's never a surprise.

Sony doesn't usually make mistakes that are quite as potentially harmful, so people reacted quickly.

[Bill Dautrive]

re

MS screws something up on a weekly basis. It is not really new nor is it suprising. It is definately not OK, but the reason many people ignore or defend it is one of PR.

The only thing MS really does well is PR. They are great at making people who are technically ignorant, to think that MS is a world class company and produces the best that is possible. The get people to believe that a gajillion flaws a month is normal, because no program is bug-free.

Yes, no program is bug-free, but that does not excuse the inept programmers at Microsoft. Look at what most of the flaws are: exploitable code because of buffer-overflows, whether on the call stack or on the heap. Those types of errors are very amatuer-hour. They are very easy to avoid, it just takes some attention to detail.

But somehow people went from, "no program is bug-free" to it is ok to release code that is easily exploitable. In a sick way you have to admire the genius of that. Has there ever been a corporation that is at or near the top that has produced such consistant crap, yet has a large, diehard(although, extremely ignorant) fanbase?

[PurePacket]

It's a possibility, not a problem

Considering the worst threat we've had all year was a low-rate mass-email worm that you will probably never see, I don't know why people get so uppity over security fixes. EVER OS has security fixes. An operating system is so major there is ZERO chance of anyone developing one that is as functional as the ones out there now yet has no security holes. It will never happen. Even Unix has trojans listed in the Symantic database.

99% of virii that are found in the wild exploit vulnerabilities that have already been fixed. Windows has built-in updating to keep you safe. If you turn it off, you get what you deserve. You don't even need an anti-virus. I have zero anti-virus or anti-spyware active scans, it's all paranoia and shock news that started with Melissa in '99 and I Love You in '00. And those were worms too. I wouldn't worry about it.

[FutureGuy]

Screw up??

Who said Sony screwed up? Sony installed a spy ware like product on users PC without even getting user consent, that is not screw up, its planned and executed just they wanted. It wasn?t a mistake by any measure, it was just stupid. The bug in IE is bug for which, as per the article MS is working on a patch and has released a tool to remove the said worm. If MS intentionally put that bug in then they should be liable. This is bug, just like the host of bugs Apple just released patches for and the few dozed for with Firefox recently released patches. You are just dying to sue MS, aren?t you ;)

[Dj Osiris]

Patches Take Time!

It is important to understand from a development point of view these security patches are no small adventure. You have to make sure that your code changes are not only patching the existing security problem but also not opening new ones or creating other bug issues. The patch isn't what takes so long. It's testing, fixing, re-testing and continuing that process until you reach a point where it is ready. Depending on the affected sub-systems (IO/KERNEL/DLL/REG/APP) this can require hundreds of people to be involved. No I do not work for MS.

[Eskiegirl302]

You missed the point

Sony Corporation messed up a lot of people including businesses. They hid their information about what that software would do to peoples computers. It was [b]NOT[/B] just a mere oversight, or something they did not know was there. They did not warn people what this would do to their systems, as microsoft is doing right now. MS cannot know what patches they need, untill the scriptors make the code. IT is never perfect and ever evolving. People have to stay informed. However, you cannot be informed about something untill it happens. It is a never ending cycle. The users who get hit with viruses and attacks are just as much to blame. They come on the net thinking it will never happen to them. So they don't protect from the outset. Then BOOM! Their system goes down. They throw up their windows, and just keep on truckin untill they have a problem. They are not literate as some would think they should be. There is tons of info out there if they want it. But Sony! That was downright uncalled for. They knew. They broke peoples systems. Then they never even had the decency to apologize for it. I will never touch another sony product as long as I live! MS might be slow but they at least have the decency to let people know when they become aware of things. The virus writers let them know something is wrong. That is just the way of the internet. You trust people out there, that is your own problem.

Happy Cruising

[Techie2010]

Owned.

More of a reason to use Firefox. Microsoft needs to get its ass in gear or they're gonna fall behind.

[PurePacket]

FF not better

You think Firefox is safe from this? FF has had more security fixes in it's short lifetime than Opera ever has. In the same period of time, it's even had more than IE. If you really wanted safe you'd choose Opera, the fastest and most secure browser. It's light years better than FF ever will be. FF really isn't that great, you shouldn't tell people to switch to it if you don't even know just how bad it is. Who told you it was safe?

[Eskiegirl302]

Hey!

I just switched to FireFox a couple days ago. It has tons of extensions, and I am still reading the site. So far I like it ok. Used IE for years. Never tried Opera, for the reason he said. Not gonna pay for it. I got my google bar that is what I most care about, and the dude who invented FireFox just went to work at google. That's cool, cause soon Google is coming out with its own antivirus. I love it. Go guys Go!

[murophelia]

Well then-- ACK

So my computer has been compromised and completely hijacked since 12 November. And it sucks. Can anyone fix it? No.

We also use a MAC.
I dont think I am going back to the Gates of Hell.

If I only had a brain...

I'd have been surfing with ActiveX and Active Scripting turned off for darn near the last eight years. Then I'd not be complaining about popups, drive by malicious application installations, or any of 32 dozen other associated security problems over the years. If everyone just quit using it including the morron web developers at c/net we'd all be better off.