The bug, which Microsoft patched last week with an emergency update, had gone undetected for at least nine years. Michael Howard offered a postmortem analysis of the IE vulnerability and Microsoft’s code-writing and reviewing process. Howard, who is perhaps best known for co-authoring the book Writing Secure Code, said the flaw was a “time-of-check-time-of-use” bug in how IE releases data binding objects.
The vulnerability was not found by programmers because they had not been told or taught to look for them in such cases, Howard said. “Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review,” he said. “We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues.”