I was reading this article on Wired.com about this months Microsoft patches when something occurred to me.
Microsoft have done a huge amount of work on the security of their development practices and ensuring that there are fewer vulnerabilities in their products but what about "bought in" code?
The reason this occurred to me is that the one vulnerability from this months set that affects Vista is in some of the A-V technology that they've acquired with companies like Sybari.
So every time Microsoft buys a company and integrates their products into the existing Microsoft ones they potentially introduce a load of new vulnerabilities in code that probably won't have been through the same rigours as the internally developed code. This is especially relevant where they are integrating products in security sensitive areas of the operating system like A-V and Anti-Spyware.
Now Microsoft could of course re-write the codebase of any acquired technology before integrating it, but that would kinda' defeat the purpose of buying the company in the first place!
