On BNET: Online porn struggles for profits
BNET Business Network:
BNET
TechRepublic
ZDNet

October 20th, 2006

Internet Explorer security FUD

Posted by Ed Bott @ 5:54 am

Categories: Internet Explorer, Security

Tags:

Well, that didn't take long. The day after Microsoft released Internet Explorer 7.0 for Windows XP, Secunia published a bulletin describing a "vulnerability … in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information."

And the gloating and "I told you so's" began almost immediately.

Australia's ITWire headlined the story "Serious flaw revealed in one-day old IE7," despite the fact that Secunia's rating for this vulnerability was "Less Critical." On its 1-to-5 scale, where 5 is most serious, this one ranks only a 2, and its graphical indicator is green, not yellow or red.

Slashdot's entry included the snarky comment: "So much for the 'you wanted it easier and more secure' slogan found on Microsoft's IE Website."

Well, maybe breathing into a paper bag a few times will help everyone stop hyperventilating. A few comments:

  • Microsoft says the vulnerability is actually in Outlook Express, not IE.
  • BetaNews reports that this is an old IE6 vulnerability that went unpatched in IE7. And sure enough, even the Secunia article references this six-month-old report. Hmmm. Is Secunia trying to piggyback on the IE7 publicity by reviving this report now?
  • Visiting Secunia's test page with IE7 running on a release candidate of Windows Vista results in a message that reads: "Your browser does not appear to vulnerable [sic] to this particular exploit."

And finally, a question: What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test.

Ed BottEd Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. See his full profile and disclosure of his industry affiliations.

Email Ed Bott

Subscribe to Ed Bott's Microsoft Report via Email alerts or RSS.

  • Talkback
  • Most Recent of 85 Talkback(s)
MS says it's a temporary change only
They're doing some "balancing of deployments worldwide."

So it's only a temporary reprieve. (Read the rest)
Posted by: Ed Bott Posted on: 10/25/06 You are currently: a Guest | | Terms of Use
I agree it's fuddish, but larger issue?  TripleII | 10/20/06
It's not an IE7 bug  PB_z | 10/20/06
The outlook express people have fixed it.  tomaras@... | 10/20/06
Classic cart before the horse nonsense.  OButterball | 10/20/06
Correct  TripleII | 10/20/06
They have done exactly that in Vista  Ed BottZDNet Moderator | 10/20/06
Glad Vista has it  TripleII | 10/20/06
"Simply build a wall"  Ed BottZDNet Moderator | 10/20/06
Isn't it all software? :-D  TripleII | 10/20/06
So they HAVE rewritten the OS  mdsmedia | 10/20/06
Yes, it should be fixed  Ed BottZDNet Moderator | 10/21/06
Antitrust  shryko | 10/20/06
Pretty easy?  Ed BottZDNet Moderator | 10/20/06
Criteria  Harry Bardal | 10/20/06
"Remote execution of code"  Ed BottZDNet Moderator | 10/20/06
Caution is not recommended?  TripleII | 10/20/06
Of course caution is recommended  Ed BottZDNet Moderator | 10/20/06
"record of consequences related to known exploits"  msolgeek | 10/20/06
Record of what?  Ed BottZDNet Moderator | 10/20/06
"known exploits" for IE6 is relevant  msolgeek | 10/20/06
I think you are both right  TripleII | 10/20/06
Correction...  Rodney Davis | 10/20/06
It doesn't make it untrue  TripleII | 10/20/06
Known exploits may be proportional  Rodney Davis | 10/20/06
Market Share  TripleII | 10/20/06
Guess you didn't read his whole post  tic swayback | 10/20/06
No, I read the whole thing  Ed BottZDNet Moderator | 10/20/06
With great power comes great responsibility  tic swayback | 10/20/06
One answer  Ed BottZDNet Moderator | 10/20/06
They also did it with IIS6  toadlife | 10/20/06
If that's true  Rick_K | 10/20/06
Really?  tic swayback | 10/20/06
"Wholesale" != 100%  Ed BottZDNet Moderator | 10/20/06
Microsoft won't tic  Linux User 147560 | 10/20/06
Microsoft won't tic  Linux User 147560 | 10/20/06
9.5, good job Harry!!  NonZealot | 10/20/06
I'd go one step further  tic swayback | 10/20/06
IE7 Security  AJane | 10/20/06
So why do we want to use IE7?  msolgeek | 10/20/06
The technical details of why IE7 is using this OE component...  PB_z | 10/20/06
What part of sandbox is going over your head?  msolgeek | 10/20/06
(nt)It was never supposed to run in a sandbox in Windows XP.  toadlife | 10/20/06
Why???  sigmaman1 | 10/20/06
Here's an idea  TripleII | 10/20/06
Firefox has "2" rated flaws from two years ago unpatched  georgeou | 10/20/06
Except Firefox 1.7 doesn't exist and never will  Edward Meyers | 10/21/06
And Firefox 1.5 is based on Mozilla 1.8X not Mozilla 1.7X  Edward Meyers | 10/21/06
IE 7 security is a sick joke  BeGoneFool | 10/20/06
Firefox 1.x has 194 Vulnerabilities and IE 7 has 1, do the math  Master Tech | 10/21/06
1 exploit in 1 day...  Edward Meyers | 10/21/06
I just updated to Minefield/3.0a1(2006102104)  Edward Meyers | 10/21/06
Actually, IE has 0  toadlife | 10/21/06
But IE is the main, if not only attack vector  Edward Meyers | 10/22/06
No Firefox 1.x = 1.0 to 1.5.x.x  Master Tech | 10/21/06
No it isn't  Edward Meyers | 10/21/06
You just did boolean math on Mozilla and specific math on IE.  osreinstall | 10/21/06
I missed that before 1.5.0.7 also- You are right  Edward Meyers | 10/22/06
What is current and available is what is important.  osreinstall | 10/22/06
Actually the latest is the Trunk Builds (Minefield)  Edward Meyers | 10/22/06
I do not do the nightlies.  osreinstall | 10/22/06
It's Apple's Java and not Firefox  Edward Meyers | 10/22/06
Scratch that one off  osreinstall | 10/22/06
why count vulnerabilities? who cares...  doctorSpoc | 10/22/06
VIRUS ALERT!  the_webninja@... | 10/23/06
Man, that sucks  TripleII | 10/23/06
Total Overkill  osreinstall | 10/23/06
Disagree  TripleII | 10/23/06
That's OK you are wrong also.  osreinstall | 10/23/06
You can't read can you  TripleII | 10/23/06
You can't think at all.  osreinstall | 10/23/06
Found the link I was looking for  TripleII | 10/23/06
Scary? Not at all  NonZealot | 10/23/06
NonZealot, thanks  TripleII | 10/23/06
Triplell, I read your blog  NonZealot | 10/23/06
Re: Found the link I was looking for  osreinstall | 10/23/06
Ubuntu, Kubuntu, don't like the sudo method  TripleII | 10/23/06
Thanks again, goal of my blog  TripleII | 10/23/06
IE7 vulnerability  haydens0 | 10/23/06
Seriously flawed by design  draciron@... | 10/23/06
Re: Seriously flawed by design  cnfrisch | 10/23/06
He was long winded, but some truth in there...  TripleII | 10/23/06
The Tree Is Known By Its Fruit  Cardhu | 10/24/06
WGA no longer an automatic update  zmud | 10/25/06
Thanks for the tip  Ed BottZDNet Moderator | 10/25/06
MS says it's a temporary change only  Ed BottZDNet Moderator | 10/25/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and