An "extremely critical" threat may cause Microsoft to release a patch before its next scheduled round of software patches.
The unpatched vulnerability in Internet Explorer is bad enough, said the company which reported the Trojan drive-by download exploit to Redmond, that Microsoft will probably fix the problem before this month's scheduled patch day, December 13th.
"This is an extremely critical threat," said Alex Eckleberry, president of anti-spyware developer Sunbelt Software. "It's not widespread, it's not like a Sober or a Zotob, in fact we’ve seen it only a limited number of sites. But it's really, really bad.
"Even running a fully patched Windows XP SP2 system, you can still get nailed."
The hole in Microsoft's popular IE browser goes back several months, when a researcher reported the vulnerability to Microsoft. Initially, the bug was thought to only crash the browser, but new information points to a greater threat: that an attacker can run malicious code remotely on a compromised PC by luring users to a malicious Web site.
That's exactly what's happening now, said Sunbelt's Eckleberry. On Tuesday morning, he told Microsoft that his researchers had found several Web sites which were exploiting the vulnerability to drop a Trojan downloader onto PCs. That downloader, in turn, was loading pornography-related spyware on users' systems.
Late Tuesday, Microsoft revised a security advisory from a week earlier to note that an exploit was circulating, and identified the Trojan as "TrojanDownloader:Win32/Delf.DH." The Redmond, Wash.-based developer has posted additional information about the Trojan here.
As is Microsoft's policy, it refused to elaborate on plans to produce a patch. "Microsoft has not provided any specific timing [on a possible patch]," said a Microsoft spokesperson Thursday in an e-mail to TechWeb. "As noted in the advisory, Microsoft is still investigating the issue and once that investigation is complete, [it] will take the appropriate action to protect customers which may include a security update as part of the monthly release process or an out of cycle update."
Eckleberry thinks that Microsoft will put out a patch before the regularly-scheduled security bulletin release date of Dec. 13. The last time Microsoft pre-released a patch was was Dec. 1, 2004.
"When I talked to them Tuesday, they said 'thanks,' and said they were investigating it, which is their usual," Eckleberry said. "So they're working on it.
"But you can bet that they'll go out-of-cycle. They absolutely need to go out-of-cycle on this one."
Eckleberry advised users to update their anti-virus definitions. Most anti-virus vendors have updated their definitions to account for the TrojanDownloader:Win32/Delf.DH.
"Users armed with anti-virus products are in much better shape, but if they don't have anything on their systems, they could be in trouble."