I find it hard to buy Dullien's analysis that ASLR in Vista will stop Office zero-day bugs. The ASLR implementation in Vista is not very resilient -- it only randomizes the bases of certain system DLLs and not the rest of the loaded modules.

This means that today's attackers will still succeed t...

[ more ]  [ reply ]

The only plausible reason why Microsoft would delay fixing such a critical issue for so long, in software that is so widely used across the world, is that these exploits are actively being used by government entities and Microsoft has been asked to hold off patching them. ...

[ more ]  [ reply ]