Although I’ve been using a Mozilla browser as my primary Web client for some time now, I’m still using Outlook Express as my default e-mail client. Everybody knows it’s very vulnerable to virus and Trojan horses, but I was careful and never had any problem — until now.

Today I got a strange spam. It didn’t contain any links or images, and its message didn’t advertise any product. I was curious, and I read it not knowing I was opening my system to a spyware application. So I was very surprised when I opened the Windows Start menu and found scores of links to pornographic sites sitting on it. As I soon found, the links were scattered across the whole system in every conceivable place a link could be inserted on. Also, Internet Explorer’s default page had been changed and a new bar had been added to it, overriding the default navigation bar.

It was easy to discover that the culprit was a spyware called SurferBar, which has existed for a long time, but has know find a new way to get itself installed on systems lacking the proper updates. It exploits a new vulnerability in the Internet Explorer HTML renderer — used by Outlook Express — by constructing a special object tag that bypasses Internet Explorer’s security sandbox. The vulnerability is recent, but Microsoft has already issued a patch. Removal was simple, albeit bothersome.

After that, it’s definitely time to change my e-mail client. Shame on me, I know, for using such an insecure client as Outlook Explorer. I had been planning to switch to another client for a long time, but had postponed doing it because of the trouble involved. I hope I don’t make the same error again.