You may also have seen that this patch has a few nasty holes of its own and calls home occasionally (though only when it hits an exploit attempt, so I think that’s reasonable), thus prompting fears that Microsoft pay point at this as an example of poor open source code quality.
However – and this is the killer point – the patch has been patched by someone else, namely Paul Hsieh (code diffs here). Now, it may be illegal (the reason that I quoted the words “open source” in the link to the patch above is that the first patch has a few distinctly non-open clauses regarding its distribution) but if there’s a single winning argument you can make in this whole story for the open source security model, this is it.
This has fascinated me because I’m one of the people who, despite being an open source fan, thinks that Microsoft sometimes gets a raw deal about buggy code and patches (as I’ve commented here and here – quick summary: MS has to push its patches through a longer QA system for fear of 1% of installs breaking and clobbering a million machines). However, recently the sheer number of unpatched holes in MSIE has become ridiculous and it’s time to give up on it. Frankly, the only real patch is to move to Firebird.