Although Microsoft describes its fix as a nonsecurity update, the patch "certainly does have security implications," said Ben Greenbaum, a senior research manager with Symantec Security Response. "It allows users who were expecting -- with good reason -- a certain level of protection out of the feature to actually get that level of protection."

It turns out that Microsoft had actually produced a for the issue, which users could download themselves, as far back as May 2008. It had also pushed out a that fixed the problem for Vista and Server 2008; but this fix was not automatically updated for Windows 2000, XP and Server 2003 users until Tuesday.