Inevitably, CanSecWest 2010 kicked off with the promised and eagerly-awaited Pwn2Own hacking contest, in which a number of effective protection strategies (DEP, code signing, ASLR ) failed to prevent determined vulnerability researchers making loadsamoney by circumventing them with attacks on Firefox and IE8 on Windows 7, Safari, and the iPhone.
For details and extensive comment see:
The take-home message from all this, though, is that there is a difference between mitigation and invulnerability. What software can do to protect you can be undone by other software: in the last analysis, whether those software attacks are actually worth implementing is a matter of Cost/Benefit Analysis. $100,000 in prize money is a good incentive, but so is a moneyraking botnet.
 DEP: Data Execution Protection
ASLR: Address Space Layout Randomization
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security