The same thing holds true for Windows
Update. I would think the EU and the DOJ/FTC would be up in arms about such
practices.

Here is the e-mail regarding a security flaw in Office that started me down
this path:

 National Cyber Alert System

 Technical Cyber
Security Alert TA05-193A

 Microsoft Windows, Internet
Explorer, and Word Vulnerabilities

 Original release date: July 12, 2005
 Last revised: —
 Source: US-CERT

Systems Affected

 * Microsoft Windows
 * Microsoft Office
 * Microsoft Internet Explorer

 For more complete information, refer
to the Microsoft Security
 Bulletin Summary for July, 2005.

Overview

 Microsoft has released updates that
address critical vulnerabilities
 in Windows, Office, and Internet
Explorer. Exploitation of these
 vulnerabilities could allow a remote,
unauthenticated attacker to
 execute arbitrary code on an affected
system.

I. Description

 Microsoft Security Bulletins for July,
2005 address vulnerabilities in
 Windows, Office, and Internet
Explorer. Further information is
 available in the following
Vulnerability Notes:

 VU#218621 – Microsoft Word buffer
overflow in font processing routine

 A buffer overflow in the font processing
routine of Microsoft Word may
 allow a remote attacker to execute
code on a vulnerable system.
 (CAN-2005-0564)

 VU#720742 – Microsoft Color Management
Module buffer overflow during
 profile tag validation

 Microsoft Color Management Module
fails to properly validate input
 data, allowing a remote attacker to
execute arbitrary code.
 (CAN-2005-1219)

 VU#939605 – JVIEW Profiler
(javaprxy.dll) COM object contains an
 unspecified vulnerability

 The JVIEW Profiler COM object contains
an unspecified vulnerability,
 which may allow a remote attacker to
execute arbitrary code on a
 vulnerable system.
 (CAN-2005-2087)

II. Impact

 Exploitation of these vulnerabilities
could allow a remote,
 unauthenticated attacker to execute
arbitrary code with the privileges
 of the user. If the user is logged on
with administrative privileges,
 the attacker could take control of an
affected system.

III. Solution

Apply Updates

 Microsoft has provided the updates for
these vulnerabilities in the
 Security Bulletins and on the
Microsoft Update site.

Workarounds

 Please see the individual
Vulnerability Notes for workarounds.

Appendix A. References

 * Microsoft Security Bulletin
Summary for July, 2005
 <http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx>

 * US-CERT Vulnerability Note
VU#218621
 <http://www.kb.cert.org/vuls/id/218621>

 * US-CERT Vulnerability Note
VU#720742
 <http://www.kb.cert.org/vuls/id/720742>

 * US-CERT Vulnerability Note
VU#939605
 <http://www.kb.cert.org/vuls/id/939605>

 * CAN-2005-0564
 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0564>

 * CAN-2005-1219
 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1219>
 
 * CAN-2005-2087
 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>
 
 * Microsoft Update
 <http://update.microsoft.com/>

 * Microsoft Update Overview
 <http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
 ult.mspx>

 _________________________________________________________________

 Feedback can be directed to the
US-CERT Technical Staff.

 Please send mail to [email protected] with
the subject:

 "TA05-193A Feedback
VU#720742"
 _________________________________________________________________

 This document is available at

 <http://www.us-cert.gov/cas/techalerts/TA05-193A.html>
 _________________________________________________________________

 Produced 2005 by US-CERT, a government
organization.
 _________________________________________________________________

 Terms of use

 <http://www.us-cert.gov/legal.html>
 _________________________________________________________________

 Revision History

 July 12, 2005: Initial release