I finally got arround to play with Alexander Sotirov's new heap tricks for attacking browsers. If you haven't read his paper, you can find it here:
http://determina.com/security.research/presentations/bh-eu07/bh-eu07-sotirov-paper.html
In short: Alexander has reversed the way heap gets allocated and freed in IE and written some tools in JavaScript that allow you to control heap allocations. Where normal heap spraying is quick and dirty and gets the job done often enough, this gives you the control to make an exploit truely reliable. It does take a very deep understanding of the internals of process heaps and how vulnerabilities are actually exploited to understand how it works, which is good because script kiddies suck.
