As far as I could tell, the vector was AOL IM. So, it's not only M$ and outlook. Why oh why are vendors shipping with defaults like no restrictions on "buddy" downloads and execution?

Hiya, The same reason why some linux installs were/are totaly open: They wanted it to work outta the box. It's viewed that it's better to have your product widely in use and insecure (so now the user has to come back and pay you or someone else for security--or take care of it themselves) than to have it secure from the get-go and not used much because it is too much of a PITA to get up and running... /herb