Computer users who were infected by malware from visiting MetService's website last week are understandably upset.

Any website that chooses to accept advertisements from third parties is at heightened risk of becoming a conduit for malware, because hackers can pose as advertisers and try to slip malicious code into their uploads.

Such websites have a responsibility to minimise that risk and to quickly come clean if they have been compromised.

Tim Nichols, vice-president of award-winning technology company Endace, says the MetService ad server that was compromised by hackers used an open source software system called OpenX which "has a reputation of being not the most secure product out there" and made itself more vulnerable by failing to hide the type and version of the software it had installed.

He adds that if MetService had network traffic monitoring software from the likes of Endace, it could have detected the problem much sooner. MetService believes its site was being used to dish out malware for four hours, but there are some reports that suggest that may have been happening for days.

Nichols' view: "There is now no longer any excuse for anyone not to have the tools to stop this shit as it happens."

MetService marketing manager Jacqui Bridges responded that it was "not interested in commenting on what they have to say about us or entering into a debate. We are instead getting on with taking all possible steps to ensure this does not happen again".

Though the MetService's web support team discovered that its ad server had been compromised at 8pm on Tuesday, its frontline communications staff had not been briefed by 9.30am the following morning.

MetService first acknowledged the issue in a Twitter message sent after The Dominion Post contacted it for comment on suspicions from readers that it was the source of their malware.

That inevitably raises the question of whether MetService was planning to fess up before it was contacted by the media. This is how Bridges responded to - or rather avoided - that question:

"We acknowledged the issue first with action - taking down the server to make our website safe, then working overnight to identify and begin resolving the issues - and then with communication, first on Twitter to those affected, and followed by various media interviews and a news release."

Bridges says it has no intention of pulling advertising from its website as the revenue is vital. "Without it we would not be able to provide the high level of detail and timeliness that New Zealanders now rely on and enjoy."

But that does leave the ball in the court of MetService to rebuild trust with internet users, many of whom will otherwise no doubt be surfing elsewhere for their weather.