Hoax security software that leads PC users to believe they have a virus on their system was one of the biggest security threats last year, says Microsoft.

According to the software company's latest security report, bogus security software programs often offer a free scan that falsely says a user's computer is infected. If installed, the programs are ineffective against malicious software. Security experts have theorised that those behind the programs reap lucrative profits.

Microsoft said it has detected two Trojan horse programs, Win32/FakeXPA and Win32/FakeSecSen, masquerading as security software on more than three million computers in the last six months of 2008.

The report also revealed that software vulnerabilities dropped three percent in the last half of 2008 compared to the first six months of the year. But more than half of all of the vulnerabilities were considered 'high severity' under the Common Vulnerability Scoring System (CVSS). Also, more than half of those problems were considered pretty easy to exploit, putting internet users at greater risk.

Microsoft software contained six of the top 10 browser-based vulnerabilities used by hackers against computers running Windows XP.

Hackers also continued to try to exploit older vulnerabilities in Microsoft applications. The most frequently exploited flaw in Microsoft Office, CVE-2006-2492, was patched more than two years ago yet is still targeted by 91.3 percent of attacks against the software suite.

In 2008, Microsoft released a total of 78 security bulletins that fixed 155 vulnerabilities, which represented a 16.8 percent increase over 2007.

Attackers also looked to exploit problems in other third-party software from vendors such as Adobe, whose PDF reader is widely used. Adobe has had several security vulnerabilities over the last year in its Reader product. Microsoft said it saw more than double the number of attacks aimed at PDF in July 2008 as it did in the whole six months prior.

Vulnerabilities in Microsoft Office file formats and PDFs are golden for hackers, since people can often be persuaded to open the documents using social engineering tricks via email. Microsoft said more than 97 percent of email messages are unwanted because they either contain malicious attachments, are spam or promote a phishing site.

The US remained the number one country for hosting phishing sites, the report said.