The story never ends how many time Microsoft will issue a pre-patch advisory with workarounds with an infamous word “highly critical” attach since it begins to see vulnerabilities and warning that conclude the advisory with .. that could put millions of Internet Explorer users at the mercy of malicious hackers. How many times million of enduser workstation has to suffer for the patches, million of hours in loss. And the phrase that gives out for media blurbs…A Return of Investment.. now seems to be true for only the Redmond. How many times you are force to read Buffer Overflow exploit when their so called innovative technology called .NET, often repeatedly claims to remove it. In fact in every new releases, no matter its Vista or new .. still goes back to unsafe machine dependent compiled code. Will that make sense when Overflow keeps coming and the .NET get raising..!

The challenge lies ahead for Microsoft, how they make their existence product workable in the managed container of .NET. This is indeed a true solution that could put these buffer overflow to final end. Matter is not that easy, the huge component of Office are so terrible that even .NET Interop issue can’t stop these vulnerability easily. The codebase has to execute in unsafe container. The IE component that is eminent part of the Explore. Without it, Explore can’t display all the fancy stuffs that comes in every single window. Recently, Mircosoft has agreed to isolate these component dependecy from Explore. Which is a late good move but nothing gonna change for XP for the time being. The late new major Service Pack is expected to resolve this techincal glitches. Since the Vista deadline is expected to be missed again I believe ths service pack will be shipped bundle within this deadline. Overall, I am sure the Redmond guys want to make assure all these issue covered well and the huge criticism turns into appreciation but without unsafe code execution environment the possible exploitation are still possible. In security `possible` is a terrible word.

Oh yea.. I forget to mention there is yet another highly critical buffer overflow (heap or stack or integer or whatever) in recent list. If you keep following the new Security Advisory release from M$ and the bugtraq you will see how much overflow are being discovered every month..thats too much..i will not bother to ask you to visit there..keep safe and avoid IE is the best solution.

A ret val check signature that sits just ahead of the return address of stack or heap often called canary value, or a cookie that check the exploitation issue but even this comes with some price. Microsoft has not been following the kernel issue that could bring a final solution to crack down these classical exploitation. They could utilize a grsecurity appraoch –patches for linux kernel that has multi-layered detection, prevention, and containment model. These are so effective that has been widely used to secure the kernel, the trade off is some bit of cpu cyle that doesn’t effect the system performance.

Lets forget the issue of patches..thats beyond our ability to do in M$. In windows what we call a FireFox a less vulnerable Browser, not a new suggestion though, but it has a live update and keep your browser almost up2date. In contrast the IE does the same but you are about to verify your legitmacy copy of your Windows..! Does this make sense when in other side of the world (who pirates) is unsafe and loyal payer are safe…Does that make sense of being safe with divide world! I rather ask ballmer to get some advice from a great lier of the century Mr. Bush. And follow his bushsim theory.