Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it.
"Every bug is an opportunity to learn, and the security update that
fixed the data binding bug that affected Internet Explorer users is no
exception.
The Common Vulnerabilities and Exposures (CVE) entry for this bug is CVE-2008-4844.
Before I get started, I want to explain the goals of the SDL and the
security work here at Microsoft. The SDL is designed as a multi-layered
process to help systemically reduce security vulnerabilities; if one
component of the SDL process fails to prevent or catch a bug, then some
other component should prevent or catch the bug. The SDL also mandates
the use of security defenses whose impact will be reflected in the
"mitigations" section of a security bulletin, because we know that no
software development process will catch all security bugs. As we have
said many times, the goal of the SDL is to "Reduce vulnerabilities, and
reduce the severity of what's missed."
In this post, I want to focus on the SDL-required code analysis,
code review, fuzzing and compiler and operating system defenses and how
they fared."
Michael Howards Post: http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx
