Bill Brenner of SearchSecurity.com writes:

Windows users who haven’t already done so might want to download a patch Microsoft issued in January to fix critical cursor and icon format handling flaws. PandaLabs said it has detected the first adware to target the security holes.

The Glendale, California-based anti-virus firm said Searchmeup uses the vulnerabilities to download onto computers without users’ permission. Pages from which Searchmeup are downloaded also contain numerous exploits that can download other malware onto affected computers. This includes the Tofger-AT Trojan horse, which steals banking passwords; Dialer-BB, Dialer-NO; and another adware program called Adware/TopConvert.

“The appearance of Searchmeup is a sign of the continuous evolution of malware, and of adware and spyware in particular,” PandaLabs director Luis Corrons said in a statement. “The first stage was that adware reached computers as a component of a freeware application, then Web pages appeared that installed adware on users’ computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now.”

['Adware' First To Exploit Critical Windows Flaws, continued]