Michael Howard did a very good analysis of the ANI vulnerability and showed what we learned and where we will improve SDL (the Security Development Lifecycle). He posted that on our new SDL bog:
http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx

Roger