Re: So that's alright then
>>"I do remember reading elsewhere that ASLR on 32 bit systems was a dubious concept to begin with, and that on 64 bit systems people were predicting that ways around it would be found sooner or later"
It's not my area but I understand that with the much smaller address space in 32-bit systems, ASLR's benefit is of much less value because the randomization is of necessity far smaller and therefore less of an obstacle. The thing about ASLR is that it is not a fix, it is a mitigation, that offers some value in conjunction with other techniques. For 32-bit systems MS are essentially saying that the value is not significant. HP are saying that it is.
I do not know enough about this area to say who is correct. I do think that HP are correct to disclose this now that MS have confirmed they wont fix it.
>>"What can be patched is the underlying security hole in Windows or IE (whatever it is, if it exists)"
There isn't a specific underlying security hole in this instance. HP have simply reported a flaw with the mitigation measure itself. MS haven't refused to fix any underlying flaw so far as I am aware.