Latest MyDoom write-up:
McAfee
http://vil.nai.com/vil/content/v_129630.htm

Info on the Internet Explorer IFRAME Buffer Overflow Vulnerability
http://secunia.com/advisories/12959/

To top it off, it looks like Microsoft isn't going to patch this vulnerability in IE in November! Hooray MSFT!
http://www.microsoft.com/technet/security/...in/advance.mspx

Is this the first example of a piece of malware beating a patch by weeks/months? If a patch isn't released in November's batch (which comes out today!) does this mean that Microsoft is advocating all users to run AV software as part of normal OS operation? It is definitely best practice, but it looks like the only way to protect yourself as a normal user is to run AV!

lol how stupid are they?

anyway couldn't get the exploit working yet...

edit:

kk it worx ^^ stupid me

Most certainly not - 'drag n' drop', 'jscob'/'180 solutions' trojans have all been used recently for malicious purposes prior to patches being released. (Maybe one day M$ will actually test their products when one vulnerability is found for similar vectors).

It's also not a '0' day exploit now, more like a '0+10' day exploit at least.

Looks like M$ felt that this was more of a bug and then chose to lie in their press release. See F/D or bugtraq for more details

u dont have to get an AV to work safely win xp sp2 is not vulnerable to the public exploit , ur safe with it

True, true...but many corporations and even home users are still using vulnerable versions. Upgrades aren't necessarily an "easy" option to them - i.e. SP2 in corporate environments (lots of complexity and internal apps to test against it), and also Windows 2000 which is vulnerable and pervasive throughout the World.

Im suprised at how simple that IE Exploit it uses is, its the most basic one ive seen yet.