I think I've grasped this malleability issue, but is it just me or is it really a non issue with reference to the core Bitcoin protocol?, i.e. current advise is to wait for 6 confirmations to safely assume your transaction is 'bedded in' to the block chain. The transaction IDs are different due to the 'relayer' created a second one but each input and output is identical (addresses, TXID, amounts etc), therefore only one will be accepted anyway !!
so I kinda agree with those saying this is more about the way the exchanges are working as opposed to a 'bug'.
Let's say you have a new wallet. You've funded your wallet by sending some coins to an address using a single transaction. Now that you have a balance, you want to spend/send some coins. You send a few coins to vendor A. A little while later, you find something you want to buy at vendor B. So, you go ahead and send some coins to vendor B. Let's say there were no blocks found in the time period between your two purchases.
The coins you've sent to A were already confirmed and your wallet software allows you to send them.
The coins you've sent to B were not confirmed (they were change from the first transaction and there has been no block), yet your wallet allows you to send them anyway.
If the transaction you sent to A was changed by the bot currently attacking the network and the changed transaction is accepted in the next block, the transaction to vendor B will be invalid (never included in a block).
You won't lose any coins in the process, but some users might not understand why their second transaction was invalid.
Having unexpected things occur is not acceptable when dealing with wallet software. This is how the current version of Bitcoin-Qt works.
If you don't understand my post, here is someone with far more technical knowledge than me explaining it:
https://bitcointalk.org/index.php?topic=460944.0