About a week ago, we posted news about Secunia, a security firm, discovering an IE7 vulnerability within 24 hours of its release to the public. This news hit pretty quickly throughout the security communities, which has put Microsoft under close scrutiny. So, how does Microsoft retaliate? They state the Secunia report was “technically inaccurate”.

Microsoft’s reply to Secunia’s claims about the Internet Explorer 7 bug appeared on the the company’s Security Response Center blog. Christopher Budd, a security program manager at Microsoft, wrote that the issue in question is not in Internet Explorer 7, or even a previous version of the browser, but instead in a component of Outlook Express.

Less than a day after releasing its latest browser update, Internet Explorer 7, Microsoft was hit with reports that the new software had a vulnerability that was present in the last version, Internet Explorer 6, and had gone unpatched.

In response, Microsoft has called the reports technically inaccurate, and noted the flaw is not in Internet Explorer 7, but in a different component of Windows.

The vulnerability report came from security firm Secunia, which had run standard tests on the browser as soon as it was made available. The firm’s chief technology officer, Thomas Kristensen, noted that he was surprised the flaw had not been fixed for IE 7.

Secunia rated the vulnerability “less critical” because attackers cannot gain remote control over a system by exploiting the flaw. But Secunia also said that the bug does put users at risk because it can be used to launch phishing attacks or spy on a user’s actions.

The rest can be found here.

Whether or not Secunia’s report was “technically inaccurate” or not, vulnerabilities will eventually be discovered in IE7, some of which may have been unpatched from IE6. For reasons like this, it is crucial that Microsoft releases their Vista OS to the corporate security businesses both for all their consumers’ protection and for their reputation.

Tags: Computer Protection