Microsoft developers overlooked a critical bug in the Internet Explorer browser because of a lack of adequate testing tools and training, a company official acknowledged last month.
The flaw, which Microsoft patched with an emergency update, had gone undetected for at least nine years. Michael Howard, a principal security program manager who has been a proponent of the company's secure code-development process, said that Microsoft programmers had not been taught to look for the type of vulnerability that hit the data-binding function of IE.
Even Microsoft's automated "fuzzer" testing tools, which are dropped into applications to find failures, missed the bug, Howard said in a post on the company's Security Development Lifecycle blog.