Windows .ANI Problem Surfaced Two Years Ago

An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

Re:Incompetent Liars

[mypalmike]

I'm not using Vista, and I'm writing this on my Debian box. But this is ridiculous.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them.

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places. They probably should have caught it, but they didn't. If they are incompetent merely because they have code that is exploitable by stack overflows, then every OS and most network applications out there are the result of incompetence. There is no software development process that will guarantee every potential exploit will be caught.

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is.

Got a reference to back that up? Anywhere that a MS spokesperson has stated that Vista is "all new code"?

Re:Incompetent Liars

[CODiNE]

Why is it that a 0.3% drop in Apple's marketshare gets widely reported but the jump from 2% to 6% of the market didn't?