At The Mercy Of Developers...
Alan: Exactly. How many of us have landed on a cyber-squatted site when we’ve accidentally left one letter from a normal Web site? Not to mention that big sites can be hacked too (Asus' home page, or Dolphin Stadium’s Web site during the 2007 Super Bowl).
Same question then, for last year's Flash exploit that took down Windows, but theoretically also affected Linux machines running Flash. If users had turned on NX bit for all applications, were running 64-bit Vista, had outbound firewalls, and were running heuristic-based anti-malware suites, would that have limited the damage and ability for a malicious hacker to "take the next step" and cause more damage?
Charlie: Pretty much the same answer. You can do some things that make it a little harder on an attacker, but really if someone wants to nail you with that bug, they would have.
Alan: So there really wasn’t much that end users could have done to protect themselves. We’re pretty much at the mercy of the software developers to protect us?
Charlie: Mostly, users are at the mercy of the products they buy. Of course, the vendors are at the mercy of the consumers, so if the consumers all decide only to buy secure products, that is what will be produced.
Alan: Actually, let me get back to the comment you made earlier. When Firefox and IE8 were compromised by Nils this year, he wasn’t able to execute arbitrary code then. Without going into specifics, do all of these exploits disappear when I close the browser? That is, if I had a compromised browser, but then exited out completely and then re-launched the application to go directly to my bank’s home page, would I be safe?
Charlie: Actually, I think he did execute arbitrary code. But regardless, what you described does not help. The exploit can write files to disk, execute them, etc. Once they have any code running, you’re screwed (unless they’re in a sandbox).
Alan: What do you think about future approaches to security such as secure hypervisors or taking a dumb terminal approach (i.e. Citrix or VNC in a world with infinitely fast bandwidth and infinitely small latency)?
Charlie: I think no matter how you set it up, it’s going to boil down to complex code interacting with outside data and your own personal data. In this case, the best thing is to just focus on making exploitation harder and sandboxing the application from personal data as much as possible. Every hurdle added reduces the chance of the exploitability of a given vulnerability.