bit-tech.net

VUPEN sells Windows 8 zero-day vulnerability code

VUPEN sells Windows 8 zero-day vulnerability code

VUPEN claims to have successfully thwarted all new attack mitigation systems in Internet Explorer 10 and Windows 8 - and is selling the code to the highest bidder.

Security specialist VUPEN claims to have developed a zero-day exploit for Microsoft's latest Windows 8 operating system, and is willing to sell the code to the highest bidder.

Based in France, VUPEN makes its money by developing zero-day exploit code which attacks systems through vulnerabilities not yet publicly known. Zero-day exploits are the holy grail for crackers: if nobody knows about the exploit, nobody can protect against it. As the exploit is used in the wild, it gradually comes to peoples' attention and will eventually be patched - but there is a gap, sometimes days, sometimes years, between a zero-day exploit being developed and the company responsible starting work on a patch for the flaw.

With Windows 8, Microsoft claims to have improved the security within the operating system. In particular, Internet Explorer 10 has been hardened in a variety of ways to close off what is a common attack surface on desktop and laptop machines.

VUPEN claims that Microsoft has messed up somewhere along the way, however. Combining various existing zero-day attacks from its database, the company claims to have developed code to - in the words of the company's chief executive officer Chauoki Bekrar - 'pwn all new Win8/IE10 exploit mitigations' and allow remote code to be executed on a machine.

The news could be disastrous for Microsoft, which declared that it had sold over four million copies of Windows 8 in the three days following its launch last week. If those systems are now vulnerable to attack, the company needs to get working on a fix and fast - but VUPEN isn't going to help.

Unlike most security firms, which practice 'responsible disclosure' and allow the company responsible for a product to fix the flaw before making details of the exploit public, VUPEN has already begun selling the exploit code to its customers. With zero-day attacks often fetching tens of thousands of pounds from interested parties - often governments looking for a leg-up for their information warfare and signals intelligence divisions - VUPEN isn't likely to want Microsoft to find and fix the flaw just yet.

Naturally, VUPEN's claims have not gone unnoticed. Microsoft itself has been unable to confirm or deny the existence of the vulnerability in Windows 8, stating only that details of the flaw have not been shared with its Coordinated Vulnerability Disclosure team.

29 Comments

Discuss in the forums Reply
TheDodoKiller 2nd November 2012, 11:54 Quote
It'd be interesting to know what they sell it for in the end. It's probably quite a big blow for Microsoft, but I'm assuming no-one outside of VUPEN knows that it works? Could it all just be made up?
dyzophoria 2nd November 2012, 11:58 Quote
sounds like they are waiting for Microsoft to pay them for the disclosure,lol, based on what they do, VUPEN looks like a prosecution lawyer :D , on the other hand since its win8+ie10 (which recently was always the case), then a simple (as always) do not use IE10 is the temporary solution
theshadow2001 2nd November 2012, 12:26 Quote
What a bunch of arseholes
sub routine 2nd November 2012, 12:30 Quote
if they sold it to anyone other than micrsoft then surely they would open themselves upto and accessory as by definition this is "malitious" code
lacuna 2nd November 2012, 13:05 Quote
I'm surprised people like this aren't made to 'disappear' by MS
deathtaker27 2nd November 2012, 13:23 Quote
All code has loopholes in it, anyone ever seen a program without some kind of security issue
RichCreedy 2nd November 2012, 13:29 Quote
since code is written by humans, and windows 8 was probably worked on by hundreds if not thousands off peeps there will always be flaws, I think VUPEN should be held accountable for not disclosing responsibly to Microsoft the flaws they have found
sixfootsideburns 2nd November 2012, 13:47 Quote
Anyone else think Microsoft would benefit from just buying companies like VUPEN? If they are so good at finding exploits, just buy them and then step back and let them keep doing the dirty work they already do. Accept now its a benefit not a threat.

Maybe I'm missing the point but it would certainly make sense to me. Its like goverments hiring hackers... If you already know they are good at it, why don't you just make it more beneficial for them to work for you than against you?
GoodBytes 2nd November 2012, 13:51 Quote
This kind of behavior should be illegal. But who am I kidding, doing this, will make them sale it to teh balck market secretly, and make things worse.
fdbh96 2nd November 2012, 14:00 Quote
People like this should be able to get prosecuted. If the exploit affects even a small percentage of win 8, it could be a disaister. Sure microsoft should pay them for it but they should be prevented from selling it to anyone else. Microsoft get screwed over enough as it is.
rollo 2nd November 2012, 14:03 Quote
Testing should of found these flaws
TheBitterNoob 2nd November 2012, 14:50 Quote
@rollo its not simple as that though,Testing doesn't reveal every flaw a code and given the constrains the coders are given even if they found this specific flaw they may likely not embed the fix into the build in time.
dyzophoria 2nd November 2012, 15:13 Quote
Quote:
Originally Posted by rollo
Testing should of found these flaws

if its only as simple as that buddy.. all systems have flaws, fixing the flaws fast is where is the measure on how good a company is :)
towelie 2nd November 2012, 18:46 Quote
Guys did anyone think windows 8 wasn't going to be vulnerable? Even when the beta/CP was out there were working exploits against it.
LordPyrinc 2nd November 2012, 19:49 Quote
If I wanted an OS that looks like Windows 8, I'd simply update to a newer Smart Phone. I plan on sticking with Windows 7 as long as possible.

As for VUPEN, I'm surprised that they can legally get away with this sort of behavior. From the sound of it, they aren't even trying to hide what they are doing.
Kacela 2nd November 2012, 22:49 Quote
/me applauds the proper use of "cracker." :) The difference is intent.
leexgx 3rd November 2012, 05:16 Quote
VUPEN is in France so should not be to hard for MS to do something to them as they are for the most part selling ways to bypass security in windows is illegal as they are contributing to users losing money when one of these 0day stuff happens
PingCrosby 3rd November 2012, 10:35 Quote
When is Windows 9 out?
jb0 3rd November 2012, 13:14 Quote
Quote:
Originally Posted by deathtaker27
All code has loopholes in it, anyone ever seen a program without some kind of security issue

Once. I believe I even have the source.

10 PRINT "Hello world."
20 END
GoodBytes 3rd November 2012, 15:08 Quote
Quote:
Originally Posted by PingCrosby
When is Windows 9 out?

If it's not fixed in Win8, it won't be fixed in Win9.
Ploo 3rd November 2012, 17:39 Quote
Good on them. Information should be exchangable freely and I hope they don't get to face any legal action.
Alecto 3rd November 2012, 18:38 Quote
Quote:
Originally Posted by deathtaker27
All code has loopholes in it, anyone ever seen a program without some kind of security issue

int main()
{
printf("Hello world!\n");

return 0;
}
fdbh96 4th November 2012, 01:04 Quote
Quote:
Originally Posted by Alecto
int main()
{
printf("Hello world!\n");

return 0;
}

Maybe they'll replace windows with that then...
Invictus. 4th November 2012, 01:21 Quote
Quote:
Originally Posted by Kacela
/me applauds the proper use of "cracker." :) The difference is intent.

Actually the difference between hacking and cracking isnt intent.. its hacking = re-writing someones code to do what you want it to (Aka I hacked that code the other night) . Cracking is what is traditionally though of as hacking aka gaining access to something or to crack into a database..
mclean007 5th November 2012, 07:35 Quote
Quote:
Originally Posted by Invictus.
Quote:
Originally Posted by Kacela
/me applauds the proper use of "cracker." :) The difference is intent.

Actually the difference between hacking and cracking isnt intent.. its hacking = re-writing someones code to do what you want it to (Aka I hacked that code the other night) . Cracking is what is traditionally though of as hacking aka gaining access to something or to crack into a database..
Indeed, in fact "hacking" needn't even refer to someone else's code - it can mean writing ("hacking together") code or hardware to make it do things beyond its designers' intentions.
mclean007 5th November 2012, 07:38 Quote
Quote:
Originally Posted by lacuna
I'm surprised people like this aren't made to 'disappear' by MS
Quote:
Originally Posted by sixfootsideburns
Anyone else think Microsoft would benefit from just buying companies like VUPEN? If they are so good at finding exploits, just buy them and then step back and let them keep doing the dirty work they already do. Accept now its a benefit not a threat.
Haha a la the Simpsons - "Buy him out, boys!"

@sixfootsideburns - you mean "except", not "accept".
mclean007 5th November 2012, 07:49 Quote
Quote:
Originally Posted by sub routine
if they sold it to anyone other than micrsoft then surely they would open themselves upto and accessory as by definition this is "malitious" code
There are so many grammatical and spelling errors in this I can't even work out what you're trying to say. Please make at least a token effort to be clear in your posts. What I *think* you're saying is that, by selling their exploit to third parties, VUPEN would be committing a criminal offence. I'm sure they have thought that through. First, it depends on French law (VUPEN being incorporated there), with which I am unfamiliar but I am sure it is less protectionist on these things than US law, and/or the laws of whichever frontier jurisdiction VUPEN chooses to use to do its business (Panama, for example, has very lax restrictions on such things).

Secondly, "accessory" to what? In order to be an accessory, you must knowingly (or at least negligently) have facilitated the perpetration of a crime. The act of executing remote code, in and of itself, is unlikely to be a criminal offence, unless it is for a nefarious purpose. Admittedly it is difficult to come up with legitimate reasons to want to do that, but the point stands.

Thirdly, in order to be prosecuted for a criminal offence, you first have to be CAUGHT. I'm assuming any deals done by VUPEN will be kept very quiet - they may be publicising the fact that they have devised an exploit, but the average customer for such things is unlikely to want his purchase to be publicised.
Jaybles 5th November 2012, 10:52 Quote
Quote:
Originally Posted by fdbh96
People like this should be able to get prosecuted. If the exploit affects even a small percentage of win 8, it could be a disaster. Sure Microsoft should pay them for it but they should be prevented from selling it to anyone else. Microsoft get screwed over enough as it is.

This, but for me the problem isn't Microsoft getting screwed. It's the end user getting their system compromised and the negative effects that could come with that. As far as I am concerned these people are hacking purely for profit and while this is OK in a preventative sense, they are just black hat hackers if they sell elsewhere.
theshadow2001 5th November 2012, 13:41 Quote
Quote:
Originally Posted by mclean007
There are so many grammatical and spelling errors in this I can't even work out what you're trying to say. Please make at least a token effort to be clear in your posts. What I *think* you're saying is...

Wowz! D condesention from ur side of d internets nearly blewed up my computer on to tiny peaces! If ur dat sensative to grammer u shudn't prolly shudnt be on d webs.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums