VUPEN sells Windows 8 zero-day vulnerability code

November 2, 2012 // 10:45 a.m.

Tags: #0day #0-day #attack #internet-explorer-10 #malware #responsible-discloser #responsible-disclosure #security #vulnerability #vupen #windows-8 #zero-day

Security specialist VUPEN claims to have developed a zero-day exploit for Microsoft's latest Windows 8 operating system, and is willing to sell the code to the highest bidder.

Based in France, VUPEN makes its money by developing zero-day exploit code which attacks systems through vulnerabilities not yet publicly known. Zero-day exploits are the holy grail for crackers: if nobody knows about the exploit, nobody can protect against it. As the exploit is used in the wild, it gradually comes to peoples' attention and will eventually be patched - but there is a gap, sometimes days, sometimes years, between a zero-day exploit being developed and the company responsible starting work on a patch for the flaw.

With Windows 8, Microsoft claims to have improved the security within the operating system. In particular, Internet Explorer 10 has been hardened in a variety of ways to close off what is a common attack surface on desktop and laptop machines.

VUPEN claims that Microsoft has messed up somewhere along the way, however. Combining various existing zero-day attacks from its database, the company claims to have developed code to - in the words of the company's chief executive officer Chauoki Bekrar - 'pwn all new Win8/IE10 exploit mitigations' and allow remote code to be executed on a machine.

The news could be disastrous for Microsoft, which declared that it had sold over four million copies of Windows 8 in the three days following its launch last week. If those systems are now vulnerable to attack, the company needs to get working on a fix and fast - but VUPEN isn't going to help.

Unlike most security firms, which practice 'responsible disclosure' and allow the company responsible for a product to fix the flaw before making details of the exploit public, VUPEN has already begun selling the exploit code to its customers. With zero-day attacks often fetching tens of thousands of pounds from interested parties - often governments looking for a leg-up for their information warfare and signals intelligence divisions - VUPEN isn't likely to want Microsoft to find and fix the flaw just yet.

Naturally, VUPEN's claims have not gone unnoticed. Microsoft itself has been unable to confirm or deny the existence of the vulnerability in Windows 8, stating only that details of the flaw have not been shared with its Coordinated Vulnerability Disclosure team.


View this in the forums