Internet Explorer security FUD

Summary:The day after Microsoft releases IE7, a security firm revives an old vulnerability report, rushes out a press release, and cues a predictable wave of gloating and "I told you so's". A closer look reveals that maybe there's not so much to gloat about after all.

Well, that didn't take long. The day after Microsoft released Internet Explorer 7.0 for Windows XP, Secunia published a bulletin describing a "vulnerability ... in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information."

And the gloating and "I told you so's" began almost immediately.

Australia's ITWire headlined the story "Serious flaw revealed in one-day old IE7," despite the fact that Secunia's rating for this vulnerability was "Less Critical." On its 1-to-5 scale, where 5 is most serious, this one ranks only a 2, and its graphical indicator is green, not yellow or red.

Slashdot's entry included the snarky comment: "So much for the 'you wanted it easier and more secure' slogan found on Microsoft's IE Website."

Well, maybe breathing into a paper bag a few times will help everyone stop hyperventilating. A few comments:

  • Microsoft says the vulnerability is actually in Outlook Express, not IE.
  • BetaNews reports that this is an old IE6 vulnerability that went unpatched in IE7. And sure enough, even the Secunia article references this six-month-old report. Hmmm. Is Secunia trying to piggyback on the IE7 publicity by reviving this report now?
  • Visiting Secunia's test page with IE7 running on a release candidate of Windows Vista results in a message that reads: "Your browser does not appear to vulnerable [sic] to this particular exploit."

And finally, a question: What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test.

Topics: Security

About

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He has served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the a... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.