Banner advertisements that install malware onto the user's computer were left unnoticed for several days on the MSN Messenger service, according to researchers.
The advertisements appear to promote a security application, known as Winfixer or ErrorSafe - said to identify and repair threats and other computer problems. The malware is downloaded and installed onto the user’s machine without their authorization and announces fake security warnings to entice the recipient into buying a licensed copy of the product, according to security analysts.
"This is very bad news for users of MSN Messenger, and for MSN and Microsoft," said Sandi Hardmeier, on her Spyware Sucks blog, where the incident was first reported. "I am struggling to express how upset, disappointed and worried I am that this has happened. For years I have been holding up MSN Messenger banner ads as an example of how they can be safely served to end users without putting them at risk of malware."
She added: "Now everything has changed. Users have been put at direct risk through no fault of their own, and they cannot avoid the MSN banner ads when the contact pane is open without using a third-party hack that is ethically wrong to use."
Microsoft has now acknowledged the problem and removed the advertisements, which were displayed in the contacts panel in its instant messaging program.
Whitney Burk, a PR manager at Microsoft, said in a statement: "We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our advertisement approval process to reduce the chance of this happening again."