The End Of Vulnerabilities?

http://www.darkreading.com/vulnerab...ent/232602714/the-end-of-vulnerabilities.html

On a global scale, bugs are never going away, but in specific products, early evidence reveals that companies are having success in weeding out flaws

 

Until we invent AI which can examine code and define all possibly combinations to patch and exploit it, we are nowhere near the end of vulnerabilities and exploitation. With evolving dynamic code such as an OS etc, there will always be new ways to attack the system despite security measures. And I agree with 0 days going to the highest bidder. Governments want them as cyber weapons, criminals want them for malware. Those type of vulnerabilities will not be reported easily or buried altogether.

 

I think that perfect code for any reasonably complex system such as an operating system is flat out impossible without new methods of coding.

That said, due to techniques like ASLR and DEP programs can kind of "blanket bomb" exploits. The exploit might still be there but it's inaccessible because the code is not executable or because they can't find it in the address space.

Will exploits ever go away forever? No. But I think we are really starting to see the cost of exploits for more common programs (browser, plugins like flash, reader, even the OS) really start to go up.

So either we'll see new methods of exploitation, new areas of exploitation, or more social engineering components.

 

Oh no I agree with ASLR and DEP the cost of exploits by common means has been raised. (And that is a good thing!) Though yes I feel we will see new techniques in terms of exploitation. The rules may have been changed but the game never does.

 

Exactly, that's how I feel as well. When DEP came about we started seeing ROP, now we seen JIT Spray or Gen Shue or HOP exploitation. The attacks are getting more complicated but they aren't going away.