Webroot Spysweeper Server Vuln

I also posted this in the security forums over at http://myitforum.com/forums.
Webroot Spysweeper 2.0 Enterprise by default creates a website on port 8080. The webserver is an Apache Jetty server. This website is used to sent updates to the clients.
The website is misconfigured so the “PUT” command is enabled. This allows anyone to upload files to the server and potentially replace the files that are there. Traditionally leaving the PUT command enabled can lead to complete system compromise.
If you go to http://servername:8080/updates, you will see a list of folders with sequential naming: 0057F161…0057F165. Each folder contains a zip file and an INI file. The zip file contains a mst file and an INI file. I have not tested this, but I postulate that at best an attacker could overwrite these files preventing client updates. At worst an attacker could create their own mst files that could crash webroot and potentially run hostile code on the clients.
I called webroot today. At first the professed to have no idea what I was talking about. After explaining it a few times, it turns out this has been discovered and will be fixed in version 2.1 due next week.