Internet Explorer security FUD

Well, that didn't take long. The day after Microsoft released Internet Explorer 7.0 for Windows XP, Secunia published a bulletin describing a "vulnerability ... in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information."

And the gloating and "I told you so's" began almost immediately.

Australia's ITWire headlined the story "Serious flaw revealed in one-day old IE7," despite the fact that Secunia's rating for this vulnerability was "Less Critical." On its 1-to-5 scale, where 5 is most serious, this one ranks only a 2, and its graphical indicator is green, not yellow or red.

Slashdot's entry included the snarky comment: "So much for the 'you wanted it easier and more secure' slogan found on Microsoft's IE Website."

Well, maybe breathing into a paper bag a few times will help everyone stop hyperventilating. A few comments:

• Microsoft says the vulnerability is actually in Outlook Express, not IE.
• BetaNews reports that this is an old IE6 vulnerability that went unpatched in IE7. And sure enough, even the Secunia article references this six-month-old report. Hmmm. Is Secunia trying to piggyback on the IE7 publicity by reviving this report now?
• Visiting Secunia's test page with IE7 running on a release candidate of Windows Vista results in a message that reads: "Your browser does not appear to vulnerable [sic] to this particular exploit."

And finally, a question: What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test.