VUPEN, a controversial zero-day vulnerability merchant, claims to have found various holes in Windows 8 security, which could hand hackers complete control of a user’s operating system.
Since its launch on 26 October, Windows 8 has been the subject of much scrutiny, not least from hackers looking to exploit the new operating system. Trend Micro uncovered malware targeting the OS earlier this week.
Now VUPEN, which recently confirmed plans to set up an office in the UK, confirmed to TechWeekEurope it had found a number of flaws across the Microsoft OS and Internet Explorer 10.
Microsoft will not be told about the French company’s findings, however. VUPEN only informs its customers about flaws it finds and does not tell vendors – something that has attracted criticism from members of the security community.
Microsoft said it was aware of tweets from VUPEN on a Windows 8 flaw. “But further details have not been shared with us. We continue to encourage researchers to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection,” said Microsoft’s Trustworthy Computing director, Dave Forstrom.
But VUPEN had plenty of praise for Windows 8 security, noting a number of the additional features such as a “robust” IE10 Protected Mode sandbox and anti-return oriented programming (anti-ROP) technologies. ROP attacks see code in memory rearranged to form a malicious payload.
Defeating Address Space Layout Randomisation (ASLR) has become increasingly hard too, according to Bekrar. ASLR strengthens system security by randomising the memory layout of an executing program, decreasing the probability of exploiting a known memory manipulation vulnerability.
“As for any new technology, the VUPEN research team has been working for many months to get an in-depth knowledge of the security of Windows 8 and Internet Explorer 10 before their public release, and we can say that this new Microsoft operating system is definitely the most secure version of Windows so far as it includes a huge number of exploit-mitigation technologies,” Bekrar added.
“We do not expect to see, in the short term, attackers creating an exploit for Windows 8 and Internet Explorer 10 as the cost would be too high.”
Some will remain upset VUPEN will not share its findings with Microsoft. Many want exploit sellers like Bekrar to share their information with vendors, so when patches do appear, all users are protected. But that would harm the VUPEN business model. It is believed exploit sellers can make as much as $500,000 from just a single vulnerability and the accompanying tools used to attack it.
Earlier this week, chief research officer at F-Secure, Mikko Hypponen, told TechWeekEurope he did not see companies like VUPEN as being part of the security industry.
“What I hate is that these exploit brokers or exploit exporters see themselves, in some cases, as part of the security industry and they absolutely are not part of the security industry,” he said.
“These companies are not interested in securing anything at all. Quite the opposite – they are interested in keeping these flaws in the products forever. They go to great lengths to make sure Microsoft or Google don’t patch, or Siemens doesn’t patch, so they can sell their goods for a longer time. So they are not in the security industry.”
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
there are one ms dynamics line can be owned without activating, which one is it? I will reveal soon