VUPEN sells Windows 8 zero-day vulnerability code
VUPEN claims to have successfully thwarted all new attack mitigation systems in Internet Explorer 10 and Windows 8 - and is selling the code to the highest bidder.
Based in France, VUPEN makes its money by developing zero-day exploit code which attacks systems through vulnerabilities not yet publicly known. Zero-day exploits are the holy grail for crackers: if nobody knows about the exploit, nobody can protect against it. As the exploit is used in the wild, it gradually comes to peoples' attention and will eventually be patched - but there is a gap, sometimes days, sometimes years, between a zero-day exploit being developed and the company responsible starting work on a patch for the flaw.
With Windows 8, Microsoft claims to have improved the security within the operating system. In particular, Internet Explorer 10 has been hardened in a variety of ways to close off what is a common attack surface on desktop and laptop machines.
VUPEN claims that Microsoft has messed up somewhere along the way, however. Combining various existing zero-day attacks from its database, the company claims to have developed code to - in the words of the company's chief executive officer Chauoki Bekrar - 'pwn all new Win8/IE10 exploit mitigations' and allow remote code to be executed on a machine.
The news could be disastrous for Microsoft, which declared that it had sold over four million copies of Windows 8 in the three days following its launch last week. If those systems are now vulnerable to attack, the company needs to get working on a fix and fast - but VUPEN isn't going to help.
Unlike most security firms, which practice 'responsible disclosure' and allow the company responsible for a product to fix the flaw before making details of the exploit public, VUPEN has already begun selling the exploit code to its customers. With zero-day attacks often fetching tens of thousands of pounds from interested parties - often governments looking for a leg-up for their information warfare and signals intelligence divisions - VUPEN isn't likely to want Microsoft to find and fix the flaw just yet.
Naturally, VUPEN's claims have not gone unnoticed. Microsoft itself has been unable to confirm or deny the existence of the vulnerability in Windows 8, stating only that details of the flaw have not been shared with its Coordinated Vulnerability Disclosure team.
Previous Article
29 Comments
Discuss in the forums ReplyMaybe I'm missing the point but it would certainly make sense to me. Its like goverments hiring hackers... If you already know they are good at it, why don't you just make it more beneficial for them to work for you than against you?
if its only as simple as that buddy.. all systems have flaws, fixing the flaws fast is where is the measure on how good a company is :)
As for VUPEN, I'm surprised that they can legally get away with this sort of behavior. From the sound of it, they aren't even trying to hide what they are doing.
Once. I believe I even have the source.
10 PRINT "Hello world."
20 END
If it's not fixed in Win8, it won't be fixed in Win9.
int main()
{
printf("Hello world!\n");
return 0;
}
Maybe they'll replace windows with that then...
Actually the difference between hacking and cracking isnt intent.. its hacking = re-writing someones code to do what you want it to (Aka I hacked that code the other night) . Cracking is what is traditionally though of as hacking aka gaining access to something or to crack into a database..
@sixfootsideburns - you mean "except", not "accept".
Secondly, "accessory" to what? In order to be an accessory, you must knowingly (or at least negligently) have facilitated the perpetration of a crime. The act of executing remote code, in and of itself, is unlikely to be a criminal offence, unless it is for a nefarious purpose. Admittedly it is difficult to come up with legitimate reasons to want to do that, but the point stands.
Thirdly, in order to be prosecuted for a criminal offence, you first have to be CAUGHT. I'm assuming any deals done by VUPEN will be kept very quiet - they may be publicising the fact that they have devised an exploit, but the average customer for such things is unlikely to want his purchase to be publicised.
This, but for me the problem isn't Microsoft getting screwed. It's the end user getting their system compromised and the negative effects that could come with that. As far as I am concerned these people are hacking purely for profit and while this is OK in a preventative sense, they are just black hat hackers if they sell elsewhere.
Wowz! D condesention from ur side of d internets nearly blewed up my computer on to tiny peaces! If ur dat sensative to grammer u shudn't prolly shudnt be on d webs.