Internet Explorer security FUD

The day after Microsoft releases IE7, a security firm revives an old vulnerability report, rushes out a press release, and cues a predictable wave of gloating and "I told you so's". A closer look reveals that maybe there's not so much to gloat about after all.

Well, that didn't take long. The day after Microsoft released Internet Explorer 7.0 for Windows XP, Secunia published a bulletin describing a "vulnerability ... in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information."

And the gloating and "I told you so's" began almost immediately.

Australia's ITWire headlined the story "Serious flaw revealed in one-day old IE7," despite the fact that Secunia's rating for this vulnerability was "Less Critical." On its 1-to-5 scale, where 5 is most serious, this one ranks only a 2, and its graphical indicator is green, not yellow or red.

Slashdot's entry included the snarky comment: "So much for the 'you wanted it easier and more secure' slogan found on Microsoft's IE Website."

Well, maybe breathing into a paper bag a few times will help everyone stop hyperventilating. A few comments:

  • Microsoft says the vulnerability is actually in Outlook Express, not IE.
  • BetaNews reports that this is an old IE6 vulnerability that went unpatched in IE7. And sure enough, even the Secunia article references this six-month-old report. Hmmm. Is Secunia trying to piggyback on the IE7 publicity by reviving this report now?
  • Visiting Secunia's test page with IE7 running on a release candidate of Windows Vista results in a message that reads: "Your browser does not appear to vulnerable [sic] to this particular exploit."

And finally, a question: What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test.