Microsoft has made much of the security advances in their recent products but some people ask why these are not incorporated into their earlier products. The basic answer is that it usually would come at a cost that users aren’t willing to pay in a software patch, but may be willing in a new product generation.
Yesterday’s revelation of a flaw in DirectShow in Windows XP and other older Windows versions is a perfect example. Windows Vista, Windows Server 2008 and Windows 7 were all not vulnerable. Why? Because the DirectShow code in XP had largely been replaced with the new Windows Media Foundation, developed using the company’s SDL (Security Development Lifecycle), a series of development rules designed to decrease the number of vulnerabilities in code and to limit the impact of those that remain. Read the full story [pcmag.com]