IE 7 flaw, or not?

A day after Microsoft released Internet Explorer 7, security firms reported the first vulnerability in the final version of the new Web browser. (The beta releases were not bug free, so this would not be the very first IE 7 flaw.)

Microsoft shot back on its Security Response blog. "These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all," the company said.

Instead, the flaw is in Outlook Express, Microsoft said.

But Secunia, a security monitoring company, maintains that listing the bug as an IE 7 vulnerability is correct.

"The vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector," Secunia CTO Thomas Kristensen wrote in an e-mail to CNET News.com.

"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component," Kristensen wrote.

Microsoft is looking to promote the security of IE by hiding behind an explanation that certain vulnerabilities, though only exploitable through the Web browser, are to blame on other Windows components, Kristensen wrote.

Microsoft should take responsibility for the vulnerabilities and risks in IE, caused by the browser being integrated in Windows, he wrote.