MySpace hit by security breach

More than a million MySpace users have been exposed to spyware that exploits a Windows vulnerability through a banner ad on the site, the BBC reported on Friday.

Those using Internet Explorer that has not been patched against the Windows Meta File (WMF) vulnerability could be exposed to spyware and adware.

The vulnerability in the way WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mails or instant messages, or via Web sites.

Reports suggest the advert has been running for approximately a week.

Security company iDefense detected computer servers being used to log how many times adware was installed from the advert, according to the Washington Post.

More than one million installations of the adware were logged before the servers were shut down.

"This is a criminal act," said Hemanshu Nigam, MySpace chief security officer, according to reports. "This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours."

"We are working to have these ad networks remove this ad so that they do not appear on our site," Nigam said.

Tom Espiner reports for ZDNet UK in London.