They fixed it in two days. Make of that what you will.
-
-
Low opinion of CFG set in early and seems widely held. Yet evidence and analysis have been strikingly thin. Microsoft has the first responsibility, but our security industry might have looked closer. Are the incentives not there? We need a good account. CFG makes us all look bad.
-
I'm not sure I've seen a vulnerability that was rendered unexploitable by CFG. That would be my minimum bar for evidence of being useful! The problem is that even the simplest Windows program has 100ks of whitelisted indirect branch targets, when would that not be good enough?
- 8 more replies
New conversation -
-
-
The secondary perf-costs of using CFG are weird. So far I've seen: - O(n^2) CreateProcess (fix landed) - Slow scanning of CFG address space (fixed in ~1809) - Unbounded memory growth (not fixed) - Whatever these stutters are These are in addition to its obvious overheads
-
Does "landed" mean that the fix you were given for your O(n^2) traces is public now? I do want to see how Microsoft presents it. Will they describe it any more precisely than are their fixes of security vulnerabilities. Will they describe it at all? We need that they do, I think.
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
