Microsoft’s Mea Culpa regarding CVE-2008-4844

As most of us know, the vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 was as bad as it gets. It allowed remote attackers to execute arbitrary code via a crafted XML document to easily take control of the PC. While Microsoft has made great strides toward secure code using their Secure Development Lifecycle, this huge vulnerability slipped through the cracks.

Microsoft’s Secure Development Lifecycle Cycle (SDL) is a process that Microsoft has adopted for the development of software that needs to withstand security attacks. The process includes the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft’s software development process.

Microsoft’s developers have provided a detailed description on how and why their SDL failed at the Microsoft Security Development Lifecycle Blog:

For more information regarding CVE-2008-4844, check out: