http://www.pcmag.com/article2/0,2817,2361810,00.asp
IE8, Safari, Even iPhone Fall at Pwn2Own Contest
03.25.10
by Larry Seltzer
The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it.
The IE exploit is the most interesting because it bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), albeit in a very cumbersome way, The researcher, Peter Vreugdenhil, explains exactly what he did in a paper on his web site.
...
I am all for better security, but the fact remains that the vast majority of badware I see spreads via two things:
1. The human factor, ie users either being careless, or going to websites they shouldn't and downloading things without thinking.
2. The fact that Windows is so stupid that it autoplays memory sticks ie it looks on any memory stick you plug in and runs whatever program the stick tells it too. How insecure can you get?