Interesting. You say this was reported 4 months ago, and no action has been taken...did Microsoft even reply, or give you their position on this report?

We had a similar discussion over OWA, where their lack of response could be attributed to the fact that the attack is a redirection in the URL, not necessarily a flaw in the code. I know, it's nit picky, I'm not necessarily taking their side, but I can see how a major company would take a stance of "the code itself is fine...if it's misused...well, too bad." It's bad practice, but not uncommon.

I'll read up some more, but I am interested to hear how this pans out, seeing as how I work for a C.A.