Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it.
"Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception.
The Common Vulnerabilities and Exposures (CVE) entry for this bug is CVE-2008-4844.
Before I get started, I want to explain the goals of the SDL and the security work here at Microsoft. The SDL is designed as a multi-layered process to help systemically reduce security vulnerabilities; if one component of the SDL process fails to prevent or catch a bug, then some other component should prevent or catch the bug. The SDL also mandates the use of security defenses whose impact will be reflected in the "mitigations" section of a security bulletin, because we know that no software development process will catch all security bugs. As we have said many times, the goal of the SDL is to "Reduce vulnerabilities, and reduce the severity of what's missed."
In this post, I want to focus on the SDL-required code analysis, code review, fuzzing and compiler and operating system defenses and how they fared."
Michael Howards Post: http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx