Possible changes for better Windows security
Microsoft’s much advertised efforts at greater security in Vista received some tarnish when the ANI exploit hit. The exploit used a type of security hole that has been known for a long time so questions arose about Microsoft’s neglect of this mode of attack. Ryan Naraine at ZDNet discusses Microsoft’s efforts to answer this somewhat embarrassing episode:
How did the super-critical animated cursor (.ani) vulnerability get past all the strict code review, fuzz testing and other defense-in-depth mitigations built into Windows Vista?
Michael Howard has the answer and he’s sharing it with us in a candid explanation from Microsoft on the lessons learned from the recent zero-day attacks and some planned changes to fix some warts in the SDL (Security Development Lifecycle).
The article goes on to discuss how this particular security hole was misssed and what Microsoft is doing to make its security reviews even tighter.