An attack, Symantec hypothesized, could involve an attacker spoofing what seems to be a legitimate message to an OWA user, add a script payload that steals cookie information about the Web session (thus hijacking the session), and so walking off with any information within the compromised mailbox.
But the OWA bug wasn't the only one worth worrying about.
VeriSign iDefense also noted that almost 20 percent (4 out of 21) of the patches fixed bugs that had previously been disclosed in public forums. Two of the four went public in May and one in April, but the fourth harks back to December 2005.
Known flaws that haven't been patched are often called "zero-day" vulnerabilities
"Zero-day vulnerabilities are a fast-growing trend," said Chris Andrew, vice president of security technologies at patch and vulnerability management maker PatchLink. "They've really boomed since the beginning of the year.
"But Microsoft is taking the same amount of time this year as last year in its patch cycle, so the thing that's shrinking is the time between a vulnerability going public and an exploit appearing.
"That's just a fact of life that we all have to get used to," Andrew added.