Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Security firm VUPEN claims to have hacked Windows 8 and IE10
The Next Web ^ | 11/1/12 | Emil Protalinski

Posted on 11/01/2012 10:14:10 PM PDT by zeugma

Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft’s latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together.

The announcement came from VUPEN CEO Chaouki Bekrar on Twitter:

We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations. Congrats to our mitigation mitigator @n_joly

— Chaouki Bekrar VUPEN (@cBekrar) October 30, 2012

If you’ve never heard of VUPEN, that’s because it isn’t your typical security company. The firm finds exploits in popular software from major technology companies like Microsoft, Apple, and Google, only to sell the details to governments around the world and various other parties willing to write massive cheques.

That’s right; the exploits aren’t reported to the companies affected, but are instead sold so that: VUPEN customers can protect themselves (while their competitors are left vulnerable), they can be abused for spying purposes, and they can be used to create malware. This is why, if you read the tweet above again, you’ll note that this latest victory was only possible thanks to multiple already-existing 0-days that VUPEN found and did not disclose publicly. If it had, it would not be able to sell them, nor would it be able to hack Windows 8, as Microsoft would have already patched the flaws long ago.

In fact, this particular set of exploits is already on sale:

Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8

— VUPEN Security (@VUPEN) October 30, 2012

Windows 8 builds on the security improvements made in Windows 7 and Windows Vista, but no software is perfect. Unfortunately, until Microsoft or someone else figures out how VUPEN did it, Windows 8 won’t be patched.

On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago. After all, many have had access to the final version of Windows 8 long before it was released last Friday.

We have contacted Microsoft about this finding. We will update this article if and when we hear back.

Update at 3:55PM EST: “We saw the tweet, but further details have not been shared with us,” a Microsoft spokesperson said in a statement. “We continue to encourage researcher to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection.”

TOPICS: Business/Economy; Culture/Society; News/Current Events
KEYWORDS: hacked; msfailsagain; win8
Can't particularly say that I care for the way the company making this claim operates, but it's worth knowing that Win8 and IE10 have already been hacked. With any luck, someone more ethical will discover these exploits and disclose them to the vendor.

Is anyone actually surprised by this?

It's also posted on /.

1 posted on 11/01/2012 10:14:15 PM PDT by zeugma
[ Post Reply | Private Reply | View Replies]

To: zeugma
VUPEN won the 2012 Pwn2Own competition with two zero-days.

I wonder how long VUPEN will be permitted to openly sell exploits. Also, I wonder how much they make per exploit.

2 posted on 11/02/2012 12:45:35 AM PDT by TChad
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; Swordmaker

Ping worthy?

3 posted on 11/02/2012 9:01:57 AM PDT by zeugma (Rid the world of those savages. - Dorothy Woods, widow of a Navy Seal, AMEN!)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson