Microsoft's Windows Live Messenger client for several days has displayed banner ads that attempted to install malware on user's systems.
Microsoft has acknowledged the incident and has removed the offending advertisements.
"We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again," Whitney Burk, a PR manager with Microsoft said in an emailed statement.
The banners inside the Windows Live Messenger advertised Errorsafe, an application that claims to detect and repair computer problems. The software is notorious because it often gets installed without the user's permission and because it presents false security warnings that are intended to make the user purchase a licensed copy of the software.
Most security vendors list Errorsafe and related software such as Winfixer as a
potentially unwanted program or a
security risk.
"This is very bad news for users of MSN Messenger, and for MSN and Microsoft, " Sandi Hardmeier, a Microsoft 'MVP' wrote on her
Spyware Sucks blog.
Security experts in the past have pointed to banner advertisements as a potential way to distribute malware and exploit software vulnerabilities. They offer malware authors a potential way to post their attack code on trusted, mainstream websites.
The Windows Live Messenger incident further confirms the risk of such attacks.
"I am struggling to express how upset, and disappointed, and worried, I am that this has happened. For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware."
"Now, everything has changed. Users have been put at direct risk through no fault of their own and they can't avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use," Hardmeier concluded.