Thanks for that update on the issue Tony. The article shows just how quickly some media outlets will grab a headline and run with it. They don't spend the time to find out all the information needed about it before they start a 'panic' scenario.

As stated in the article

This all started when someone posted a hypothetical password theft exploit to Bugtraq. In his hypothetical exploit, the person speaks of a rogue application stealing the user's passwords or credit card information. This application sends a command to Windows to start the user's web browser and load an internet address. In the poster's example, the rogue application sends the information that it had stolen as part of the request to the server. The person claimed that this constituted a bug in the core design of ZoneAlarm that allows software to bypass it and access the internet.

In fact, all the person had found was a feature of Windows that is commonly known and well documented. If a program gives the Windows shell a command, and the command starts with http://, Windows determines correctly that the program wants the user's web browser to load a web page. Windows checks the registry to see which web browser the user has configured to handle web surfing, then loads the web page in that browser. If the user has set their firewall to allow their web browser to access the internet, then obviously there will be no alert.
It doesn't really have anything to do with ZoneAlarm's product; it's more of a Windows problem (...agian).