The latest Windows abomination -  and it really is nasty, you should patch it right away - comes to you courtesy of an update to a little-known hacker utility called the Web Attacker toolkit that costs just US$20.

The toolkit's a DIY malware builder that simplifies the construction of spyware and adware, and contains a guide to setting up spam-driven panics that trick users into visiting infected websites. It even cheekily claims to offer technical support.

The kit - which identifies which browser and version you're using - was recently updated with details of a buffer overflow in Windows' Vector Markup Language (VML) that allows the drive-by installation of malicious code even on fully patched machines. (You can see it at work here.) Just visit one of nearly a thousand websites - or a website that imports an IFrame from one of those sites - and you're infected.

Ultimate credit of course must go to the world's most insecure browser and the company behind it. Yet again Microsoft have been caught napping. For years they've claimed to have thoroughly vetted all their systems for precisely this sort of vulnerability, yet time and time again more emerge. Hackers and malware merchants continue to run rings around them - even without the source code.