Ironically, the email ploy purports to be a message from Microsoft warning Windows users that they need to download the security patch to protect against email viruses.
Internet security firm Sophos Labs first reported the scam emails, which use subject lines such as “Update your windows machine,” “Urgent Windows Update” and “Important Windows Update.”
Users who click on the link are sent to a bogus website that claims to host Microsoft security updates but actually infects their computers with the DSNX-05 exploit.
“This criminal campaign exploits the public's rising paranoia about the security of their Windows computers," said Graham Cluley, senior technology consultant for Sophos. “If users fall for it, they may put themselves at risk of being spied upon or having their credit card and online banking details stolen.”
The campaign of bogus emails seems to have been timed to coincide with Microsoft's latest regularly scheduled security update. Sophos and another security firm, Websense, both reported that they had started receiving complaints about the exploit shortly after Microsoft announced it would be releasing the updates.
Infected PCs may be used as “zombie” machines to send continue spreading the exploit, without their owners' knowledge.
Microsoft reiterated that it never sends users mass emails or unsolicited messages containing links to security updates.
“We really want to emphasize with customers that microsoft.com is the only place to get authentic security updates for Microsoft products,” said a company spokesperson.