Half a year ago I wrote a blog illustrating some blatant bias on the media's coverage of Firefox over IE (Internet Explorer 6). I showed how easy it is to impact the way products are perceived just by wording the titles differently since more people read the title than the actual details of the story. Those who argued with me in the talkback didn't really try to deny the existence of the bias, just that they felt bias was justified. David Berlind even had a fairly long piece that went to great lengths to rationalize the bias, I have never seen a minor issue that Secunia rates a 2 on a scale of 5 get so much negative attention from the pressbut I still have to question if it's the media's job to handicap what it perceives to be the bully or if it's the media's job to simply report fairly and accurately.
But now we're seeing media bias rear its ugly head again where IT publications are using words like "serious" to describe the minor flaw in Internet Explorer 7 to essentially crash the IE7 launch party. In all my years following IT coverage, I have never seen a minor issue that Secunia rates a 2 on a scale of 5 get so much negative attention from the press. Just to put this in perspective, Mozilla's alternative browser Firefox has three of these 2-rated vulnerabilities unpatched and two of them are two years old (here and here) yet the typical comparisons being made to Mozilla is that they patch their vulnerabilities in a day or two. But for IE7's 2-rated flaw, many are declaring IE7 a security failure on its first day after its launch. If this is the standard for determining success or failure in the security of software, we may as well stick our heads in the sand and go back to pen and paper.
It's interesting to note that when Mozilla's chief of security Window Snyder gave me a presentation on Mozilla's security strategy, she made it very clear in her presentation that Mozilla does not pick and choose which flaws get fixed and which flaws don't. Instead, Mozilla would simply patch everything.
Microsoft being desperate to salvage its IE7 launch immediately responded by stating that the actual flaw is in Microsoft Outlook Express and not in the IE7 code. Secunia's CTO Thomas Kristensen stood by Secunia's security advisory because the Outlook Express vulnerability was being exploited through Internet Explorer 7 (in Windows XP and not in Vista). As far as I'm concerned, Secunia's advisory isn't entirely wrong because it is right to flag IE7 as a vulnerable vector for exploiting the Outlook Express flaw, but Secunia is wrong to not state in their advisory that the flaw is actually in Outlook Express. Microsoft isn't entirely right either and should simply admit that it is a problem for IE7 and that they will fix the Outlook Express vulnerability. Users don't really care where the actual flaw is, they just know it affects them when using IE7 and they want it fixed. Microsoft should simply take the opportunity show the public that it will do the right thing for the users regardless of how they're being treated by the press.