The long-awaited Internet Explorer 7 debuted recently -- and a brand-new flaw promptly debuted a day later. While Redmond argued that the vulnerability actually comes from Outlook Express, it still affects IE7. But Mike Mullins says it doesn't bode well for the browser update, whose security enhancements Microsoft has been touting.

Last week, Microsoft released the long-awaited Internet Explorer 7, the much-anticipated update to the software giant's perennially security-challenged browser. As part of its strategy for wresting back market share from the popular Firefox browser, Microsoft has emphasised the browser's various security enhancements.

But a mere 24 hours later, the first security flaw had already surfaced -- sort of. Secunia Advisory 22477 classified it as an IE7 vulnerability, but Microsoft holds that the problem -- a flaw in Outlook Express that can purportedly affect many browsers, not just IE7 -- has been exaggerated.

And yet, it's not the only snag. Some compatibility problems have also emerged, although some companies have rushed out fixes.

But we've been hearing about IE7 for a long time now, and these almost instantaneous problems are more than frustrating -- and they're more than likely not the last to emerge. While we're waiting, let's explore this flaw further and examine how to protect your organisation.

When Microsoft initiated the Security Development Lifecycle (SDL) in March 2005, its beta project for IE7 was months away from an anticipated mid-year release. At the 2005 annual RSA Conference, Bill Gates himself said, "Our primary goal is to improve security and safety for all our customers -- consumers and businesses, regardless of size -- through a balance of technology innovation, guidance, and industry leadership ... We're committed to continued innovation that addresses the threats of today and anticipates those that will undoubtedly emerge in the future." I guess nobody at Microsoft had ever heard of Internet Explorer vulnerabilities.

This is a major slap in the face, not to Microsoft, but its customers and consumers. Since Internet Explorer 4.0 released with active scripting support (or ActiveX Scripting), there's been a constant and consistent discovery of vulnerabilities -- the first one, published by Bugtraq, came in May 1999. Flaws have continued to steadily emerge in the seven years since.

And here we are again: If you're running IE7, you're vulnerable. I'm not going to debate whether this flaw comes from IE7 or Outlook Express, because you're still at risk if you're using IE7. (You can test your browser for this vulnerability on the Secunia Web site.)

Why does this vulnerability put you at risk? If you're browsing through your financial information or reading your e-mail and you open up another tab -- a major highlight of IE7 -- to browse to a potentially malicious site, attackers could view the information you're displaying in the other tabs -- how's that for security?

The workaround for this vulnerability is to disable Active Scripting support -- a common "fix" for this type of vulnerability. To disable ActiveX in IE7, follow these steps:

1. Go to Start | Control Panel, and double-click Internet Options.
2. On the Security tab, click Custom Level (this will cover all of your Internet browsing).
3. Scroll to Scripting, select Disable under Active Scripting, and click OK twice.

This process disables both the main enhancement and the security threat with your new browser.

Final thoughts
After years of tough security talk and publicity, Microsoft managed to fall victim to not listening to its own rhetoric or the customers that use its software. Most of us understand that living in a connected world means that security and functionality will always be inversely proportional. However, when you design and distribute something intended for use on the wild and woolly Internet, you need to deliver a product that focuses first on security and then on functionality.

I have two thoughts for Microsoft: Stop using the world as your beta testers. Discovering a vulnerability less than 24 hours after a new release is no security focus at all.

And to all you security-minded users out there, which browser do you trust to use on the Internet?

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.