The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. The Delf-DH Trojan downloader uses an Internet Explorer vulnerability to infect unprotected Windows users who stray onto maliciously constructed websites. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites.

Security experts at the SANS Institute Internet Storm Centre speculate that the attack, though not widespread, is serious enough for Microsoft to release an out of cycle patch rather than waiting for its scheduled monthly patching day, which this month falls on 13 December. Microsoft isn't commenting on when a patch might be available.