I'm not surprised they say they've found security holes in Windows Media Player skins. I did one of the first skins Microsoft commissioned for Player 7, and the potential for those things is remarkable. Basically, anything you can do with a local, scripted, web page is open to the developer.
That being said, the default settings on most people's browsers prevent these kinds of exploits. And I'm really tired of this George Guninski guy making a name for himself by "discovering" these "vulnerabilities". Being able to run signed code was a design decision Microsoft made. I understand why people object to that decision, those opinions are legitimate and there are platforms that make other decisions in those regards.
But there are problems with the constant teeth-gnashing and hand-wringing over the handling of unsigned code on Windows/IE machines. First, people blindly click "OK" and "Run" on every goddamn thing they see. If they get a program from a stranger, set their security settings to let any random program run, (and they do have to set them, it's not the default) and then decide to run a program that screws up their machine, what should be the result? I say they should be fucked. A little judgemental and perhaps overly Darwinistic, but those are fundamental flaws of my character, and I'm happy with them.
I know, I know, I'm blaming the victim and what about people who don't know any better and blah, blah, blah. But believe me, there are so many warnings you have to click through, a user has to have made at least three separate decisions to exceed their level of knowledge and keep pushing towards their own destruction before anything bad will happen. I see it as a decision akin to smoking; If they want to kill themselves, go ahead as long as they don't affect me.
Which brings me to the second, bigger point. The George Guninskis of the world, with their sky-is-falling alarmist security announcements punish advanced users by pretending that these are big dangers for home users, and then I lose things like the ability to get to a goddamn program that someone emails me.
So the hell with you, George. I mean that in the nicest possible way.