CanSecWest: Mitigation versus Impregnability

Inevitably, CanSecWest  2010 kicked off with the promised and eagerly-awaited Pwn2Own hacking contest, in which a number of effective protection strategies (DEP, code signing, ASLR [1]) failed to prevent determined vulnerability researchers making loadsamoney by circumventing them with attacks on Firefox and IE8 on Windows 7, Safari, and the iPhone.

For details and extensive comment see:

The take-home message from all this, though, is that there is a difference between mitigation and invulnerability. What software can do to protect you can be undone by other software: in the last analysis, whether those software attacks are actually worth implementing is a matter of Cost/Benefit Analysis. $100,000 in prize money is a good incentive, but so is a moneyraking botnet.

[1] DEP: Data Execution Protection
ASLR: Address Space Layout Randomization

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.