Company's security development expert confirms reports by outside researchers
By Gregg Keizer, ComputerWorldMicrosoft yesterday confirmed that a single superfluous character in its own development code is responsible for the bug that has let hackers exploit Internet Explorer (IE) since early July.
A pair of German researchers who analyzed a vulnerability in a Microsoft-made ActiveX control came to the same conclusion three weeks ago.
"The bug is simply a typo," Michael Howard, a principal security program manager in Microsoft's security engineering and communications group, said in a post Tuesday to the Security Development Lifecycle (SDL) blog. Howard, who is probably best known for co-authoring Writing Secure Code, went on to say that the typo -- an errant "&" character -- is the "core issue" in the MSVidCtl ActiveX control.
FOR COMPLETE STORY, PLEASE CLICK HERE.