I find it hard to buy Dullien's analysis that ASLR in Vista will stop Office zero-day bugs. The ASLR implementation in Vista is not very resilient -- it only randomizes the bases of certain system DLLs and not the rest of the loaded modules.
This means that today's attackers will still succeed tomorrow, because all they'll have to do is slightly tweak the jump points in their exploits.
What will really stop Office bugs (and many client-side bugs) cold is the implementation of Data Execution Prevention on a larger percentage of the Windows install base -- presumably as more users acquire new PCs with x64-capable chips from Intel and AMD which support the protection's hardware component.
The devastation in the Office vulnerability market might, as Dullien's analysis more correctly suggests, be mirrored in the market for bugs in browsers. Whole classes of script exploits, mostly use-after-free bugs in DHTML objects will become non-exploitable issues as a combination of XPMs (ASLR, DEP, UAC, Protected Mode, etc.) tightens the noose on today's typical vulnerabilities. The client exploits typical of today will be in a race to the bottom in terms of value for malicious users, which is exactly what Microsoft hoped to see.
This means that today's attackers will still succeed tomorrow, because all they'll have to do is slightly tweak the jump points in their exploits.
What will really stop Office bugs (and many client-side bugs) cold is the implementation of Data Execution Prevention on a larger percentage of the Windows install base -- presumably as more users acquire new PCs with x64-capable chips from Intel and AMD which support the protection's hardware component.
The devastation in the Office vulnerability market might, as Dullien's analysis more correctly suggests, be mirrored in the market for bugs in browsers. Whole classes of script exploits, mostly use-after-free bugs in DHTML objects will become non-exploitable issues as a combination of XPMs (ASLR, DEP, UAC, Protected Mode, etc.) tightens the noose on today's typical vulnerabilities. The client exploits typical of today will be in a race to the bottom in terms of value for malicious users, which is exactly what Microsoft hoped to see.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/420/1697#1697