So, basically, it's because the plugins themselves haven't been coded right that these attacks can be carried out? (sorry, the paper wont load for me)
The reason Vista was targetted:
This paper is about theoretical ways to circumvent memory protection schemes like ASLR, DEP/NX, SafeSEH, etc.
Vista is the only mainstream OS that makes effective use of all these technologies. Certainly other OSes with similar protection models could be attacked in similar ways. The reason this paper wouldn't make sense against Apple is that Apple doesn't
even have most of these protection schemes, and so these techniques are unnecessary. That alone should scare the crap out of Mac users.
This does not
expose any particular buffer overflows in IE or Windows. First you need to find one of those, in the right place, with the right things on the stack, and then hope that one of these theories work out in your situation.
Second, you need to target something with DEP / NX turned off, which unfortunately includes IE right now (but that is being worked on).
Third, the paper mainly talks about using plug-ins like Flash and the Java VM to overcome the browser's defenses. These plugins are insecure on all platforms, and they REALLY need to be fixed.
Fourth, nothing in this paper even mentioned Protected Mode IE or UAC, and there is absolutely no claim about privilege escalation - meaning that any attacks against IE using these mechanisms is very limited in what it can achieve.
What it boils down to is a lot of food for thought for those working on Windows security going forward, and I'm sure that many of the concerns here have been known (while perhaps others have not).
The actionable results of this paper are:
1) Adobe needs to get off their asses and fix Flash so it supports DEP, ASLR, and doesn't make so many stupid security mistakes.
2) Sun needs to do the same.
3) Microsoft needs to look at the manipulated .NET PE header proposed in the paper and block that sort of attack.
Which of these do you think will happen first? I know where my money is...