Microsoft explains how it missed critical IE bug

From InfoWorld: Microsoft Corp.'s developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, a noted proponent of the company's secure code development process acknowledged last week.

The bug, which Microsoft patched last week with an emergency update, had gone undetected for at least nine years.

n an insider's description on Microsoft's Security Development Lifecycle blog, Michael Howard, a principal security program manager with the company, offered a postmortem analysis of the IE vulnerability and Microsoft's code-writing and reviewing process.

Howard, who is perhaps best known for co-authoring the book Writing Secure Code, said the flaw was a "time-of-check-time-of-use" bug in how IE releases data binding objects.

View: Article @ Source Site