Writing in today's Microsoft Security Response Center blog, Christopher Budd said that security vendor reports of a vulnerability existing within the newly released Internet Explorer 7 are false. The vulnerability exists, but within Outlook Express; Internet Explorer is merely the vector for exploitation. Sure enough, there's an April 2006 security alert #19738 from Secunia discussing pretty much the same flaw within IE6. It calls out Outlook Express as the culprit. Given that the vulnerability, whatever the cause, can result in the remote access of data, one has to wonder why Microsoft didn't patch this flaw six months ago.