CanSecWest: Mitigation versus Impregnability

Inevitably, CanSecWest  2010 kicked off with the promised and eagerly-awaited Pwn2Own hacking contest, in which a number of effective protection strategies (DEP, code signing, ASLR [1]) failed to prevent determined vulnerability researchers making loadsamoney by circumventing them with attacks on Firefox and IE8 on Windows 7, Safari, and the iPhone.

For details and extensive comment see:

The take-home message from all this, though, is that there is a difference between mitigation and invulnerability. What software can do to protect you can be undone by other software: in the last analysis, whether those software attacks are actually worth implementing is a matter of Cost/Benefit Analysis. $100,000 in prize money is a good incentive, but so is a moneyraking botnet.

[1] DEP: Data Execution Protection
ASLR: Address Space Layout Randomization

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

Author David Harley, ESET

Leave a Reply

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
25 Mar 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.