Okay, help us clear up a little confusion, here... Bill Gates really did issue a companywide memo urging all Microsoft employees to usher in a new era of "trustworthy" computing by putting security ahead of new features, right? And he even ordered the company to cease development for a month to find and squash bugs-- that wasn't just some wacky fever-dream on our part? Because it certainly seems to us that the Microsoft security holes are still coming fast and furious. Heck, on the Mac side alone, we had that Office bug in February which allowed a remote doofus to shut down your software by sending a "malformed packet," and then that other issue just a few days ago which could compromise your Mac by allowing evildoers to "run arbitrary commands." So, uh, what happened to that whole "trustworthy computing" initiative? Because right about now we trust the security of Microsoft's products about as far as we can hurl Bill Gates's net worth in pennies.

And yeah, we fully understand that these bugs were introduced long before Bill's incredible epiphany that a reputation for security might be a necessary selling point to sucker the whole planet into dumping their identities into .NET. But if you want a recent example of why that "leaked" Gatesian edict for Security Over Features was little more than a PR stunt, look no further than the Gigantic Microsoft Security Hole du jour: a few days ago, Wired reported that Internet Explorer's security settings for a given page kinda sorta don't apply in any way, shape, or form once a user moves on to another page and then clicks the "Back" button.

In other words, if we're understanding this correctly, say you visit a page packed full of nasty painful evil scripting junk, but you've got IE configured to block the code from executing automatically. Pleased with how your deft use of security settings prevented disaster, you then visit a security site you've bookmarked so you can tell them about the evil page. But you forgot to copy the URL, so you click the "Back" button... and whammo, the code executes automatically-- deleting all your files, raiding your fridge, drinking right out of the milk carton, and using the last of the toilet paper without replacing the roll. Bad, naughty, evil code.

Now, okay, we admit that this bug was certainly introduced prior to when the Shining Example of Security memo went around in January. But here's the wacky bit: when the Microsoft Security Response Center was informed of this problem, it "thoroughly investigated" the issue and finally arrived at the conclusion that "the proposed exploit scenario... does not meet [its] definition of a security vulnerability" because it "requires the attacker to compel users to click on the back button while visiting a malicious website." According to Microsoft, the scenario therefore "does not constitute a viable threat to users following standard best practices."

So there you have it, folks-- using the "Back" button in Internet Explorer isn't a standard, best security practice. Apparently everyone just knows this a priori, or at least Microsoft assumes they do, because nowhere in Microsoft's documentation does it state that using the "Back" button is only for loose cannons who are itchin' for trouble, nor is the button labeled "Back Minus Security Measures" (though maybe that full title was just truncated to fit in the toolbar). By the way, this is only a problem under Windows; the Mac version is safe. But if the official corporate reaction to this bug is any indication of Microsoft's progress down the long road to Securityville, we'd say the company is just about ready to start thinking about maybe putting on its left shoe. Who knows? Maybe by the end of the year Microsoft will even tie the laces!