It’s important to check one’s text carefully. I know I’ve let too many typos and grammatical missteps stay in my own writing. In the case of Microsoft, though, it’s apparently a much more costly mistake.
Extra ‘&’ in Microsoft development code gave hackers IE exploit Company’s security development expert confirms reports by outside researchers
By Gregg Keizer
July 29, 2009 07:33 AM ET
Computerworld – Microsoft yesterday confirmed that a single superfluous character in its own development code is responsible for the bug that has let hackers exploit Internet Explorer (IE) since early July.
A pair of German researchers who analyzed a vulnerability in a Microsoft-made ActiveX control came to the same conclusion three weeks ago.
“The bug is simply a typo,” Michael Howard, a principal security program manager in Microsoft’s security engineering and communications group, said in a post Tuesday to the Security Development Lifecycle (SDL) blog. Howard, who is probably best known for co-authoring Writing Secure Code, went on to say that the typo — an errant “&” character — is the “core issue” in the MSVidCtl ActiveX control.
Link to the full story.