zlacker

> …I don’t believe that advances in so called “safe languages” or anti-exploitation technology could significantly change this landscape. These approaches, while admittedly effective in many situations, especially against memory-corruption-based vulnerabilities, cannot address other broad categories of software vulnerabilities, such as security bugs in application logic, nor stop malicious (or compromised) vendors from building backdoors intentionally into their software.

True. But never underestimate how common memory corruption bugs are. It's fucking embarrassing just how common they are. Look at the Project Zero tracker. Just the first page of the newest issues: "double-free", "out-of-bounds write", "use-after-poison", "use-after-free", "kernel double free", "kernel memory corruption due to off-by-one", "kernel heap overflow", "kernel uaf due to double-release", "heap-buffer-overflow"… And it's these bugs that often lead to the scariest situation for regular users, "I just visited a web page and my browser got pwned".