As if Microsoft did not have enough on its security plate, what with the launch of Vista followed by the chorus of ‘it is not quite as secure as you would have us believe is it’ from the worlds media, things only go from bad to worse for the Seattle giant. News has emerged that Microsoft's Windows Live Messenger client has been displaying dodgy banner ads for several days. Not dodgy in the usual really bad bit of Flash animation or why would I want to buy a blade server for my bedroom kind of a way. Bad in an oh goodness me that banner ad is trying to install malware on my system kind of a way.
A double embarrassment for Microsoft considering the amount of marketing currently for its own anti-spyware application, Windows Defender (itself not exactly clear of criticism, as per this blog posting.)
The adverts in question being for an application called, rather ironically under the circumstances, Errorsafe. Symantec give this a medium risk level rating and describe it as “… a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.” As such it is treated as malware or a PUP (potentially unwanted program) by many security vendors and applications.
Screenshots of the offending ads in-situ, together with further background details can be found at Spyware Sucks.
In an official statement on the matter, Microsoft spokesperson Whitney Burk says: “Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance."
Unfortunately, as good as the advice at that particular site is, and I urge people to read it and take note, the fact of the matter is it would not help much in this case. Although there are lessons to be learned on all sides, and the consumer has to start taking responsibility for what they click on at the end of the day, it is Microsoft that must east the biggest bit of educational humble pie methinks. The problem being that the risk in question was being served up by a trusted Microsoft application itself, right there inside Messenger where there is no getting away from the ads that Microsoft itself chooses to serve up to you. The responsibility in this case is not with the end user, but with the publisher of the adverts, and that is Microsoft. I suspect, as a direct result of this incident, there will be rather a lot of people searching Google for ‘remove ads from Windows Live Messenger’ and following the advice, no matter if that is ethically unsound and in violation of the terms of usage or not. Either that or investigating other IM clients of course.