Millions of visitors to popular (as well as a number of other websites) may have been infected with spyware, according to security firm iDefense. iDefense claims that the spyware infects unpatched versions of Windows using a security flaw in the way the operating system and Microsoft Internet Explorer open Windows Metafile images.

A banner for loads a Trojan horse program onto unpatched systems. The installed spyware tracks the user's Internet usage and causes the infected system to be plagued with pop-up ads.

"This is a criminal act," said Hemanshu Nigam, chief security office at MySpace, in a statement. "This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours. We are working to have these ad networks remove this ad so that they do not appear on our site."
Ralph Thomas, a senior analyst for iDefense, feels that MySpace should have done more to prevent this. He claims that even though they are not the originator of content, the malware was delivered through their page so it was their responsibility.

"MySpace has some problems and this is a real blunder on their part," said Rob Ayoub, an analyst at the research firm Frost & Sullivan. "I can't believe any business would not scan or take more caution with banner ads posted on their sites. Ad network or not, there is no excuse for them not having a checking system."