I have no experience using Active Directory. Is this common practice? I would personally not even classify this as a bug; it seems like common sense that running code downloaded from an unauthenticated connection is bad. How is this different from saying there are critical security bugs in http/ftp, since the same type of attack is possible (but well known)?