Ed Bott has published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas, noted:
It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.
Alex Sotirov sent an email, re-printed as under:
Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.
Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won’t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.