Why Windows Vista is unaffected by the VML Bug

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why?

The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

You can read more about this compiler change in a previous blog.

The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case!