The threat of rogue security software, or 'scareware', has risen dramatically over the past year or so, according to a new report from Microsoft, but there was good news for the industry after a fall in the number of vulnerability disclosures.

Scareware is used by criminals to extort money from vulnerable users by persuading them that their PC is at risk or infected, and urging them to buy bogus security software.

The Microsoft Security Intelligence Report Volume 6 claimed that these threats are now among the most prevalent in the computing world.

The report highlighted Win32/FakeXPA and Win32/FakeSecSen, which Microsoft has detected on more than 1.5 million computers, pushing them into the top 10 threats in the second half of the year.

Win32/Renos, meanwhile, which is used to deliver rogue security software, was detected on 4.4 million unique computers, an increase of 66.6 per cent over the first half of 2008.

"The criminals are playing on people's fears. People are aware of security, and these guys want to prey on that," said Microsoft security and privacy lead Cliff Evans.

"We are not seeing a whole new attack vector, but things are changing. There is a different emphasis on rogue software now, and a shift from operating system to third-party application vulnerabilities."

This continuing trend of attacking the application layer means that users should always keep application versions up to date, apply new patches as soon as possible and keep anti-malware software current, Evans advised.

While the "vast majority" of corporates understand the importance of these precautions, education is still required for many consumers who do not understand the value of automatic updates and the like, according to Microsoft chief security advisor Ed Gibson.

"The report shows again that, because of the steps we're taking to make the operating systems more secure, and working with partners and suppliers to improve their [security] processes, [criminal] organisations are moving towards the weakest link: you and me," he said.

There was a note of optimism in the report, however. Industry-wide figures for unique vulnerability disclosures were down by 12 per cent from 2007, while high severity vulnerabilities were down 16 per cent.

Graham Titterington of analyst firm Ovum agreed that the drive to improve standards is having an effect on the quality of applications and systems being built.

"To win the battle IT systems need to be engineered to be significantly less vulnerable, and we are making progress on that," he explained. "Much is being done to improve the standards in the engineering of systems and security products."

Jay Abbott, threat and vulnerability leader at consultancy PricewaterhouseCoopers, praised Microsoft for the work it had done in improving the security of its products. But he warned that major risks still exist in web applications and browsers.

"People are focused on delivering the product, and security is a secondary problem so the code is often weak," he said. "Certainly we need better coding practices, but even secure code can have holes picked in it."