yah. but doesn't it get back to 'doze? the recent attacks on mozilla and opera were about a shell: request sent to an external handler. the handlers security takes over in NT, 2K and XP with their jazzy default settings. 'coz the problem didn't hit linux, sol, or BSD, so it was 'doze. that was the problem.
===========
Yes.
The security unconscious integration of services on the Win32 platform (along with the architecture of windows networking - i.e. smb/port 135 and 445 holes as budge says), in concert with user gullibility, creates a cornucopia of exploits.
This is a large part of why Win32 targeted malware (a perfectly useful word - a shame your users are perplexed by it) is able to do so much teeth grinding mischief.
For example, consider the Outlook Express MHTML Protocol Handler vulnerability:
<http://www.us-cert.gov/cas/techalerts/TA04-099A.html
>
This is a clever hack, built essentially upon layer 8 weaknesses, which creates a sort of cascade security failure beginning with Outlook Express, activated via a request to Internet Explorer (which in turn processes ActiveX or other malscript), then passed back to OE for completion in the 'local zone' of the machine. All of this is made possible by the way Microsoft has decided to present services and pass requests within the operating system. The very features that create the illusion of (sometimes) seamless integration of Microsoft products also lays a smoothly paved, multi-lane highway to elevated privileges (or denial of services) land.
There are also, of course, privilege elevation exploits haunting the *Nix world but most of these require more than a script kiddie level of knowledge to cross the shadow separating idea from act and the OS supports isolation rather than wildfire.
.d.