Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft’s latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together.
The announcement came from VUPEN CEO Chaouki Bekrar on Twitter:
— Chaouki Bekrar VUPEN (@cBekrar) October 30, 2012
If you’ve never heard of VUPEN, that’s because it isn’t your typical security company. The firm finds exploits in popular software from major technology companies like Microsoft, Apple, and Google, only to sell the details to governments around the world and various other parties willing to write massive cheques.
That’s right; the exploits aren’t reported to the companies affected, but are instead sold so that: VUPEN customers can protect themselves (while their competitors are left vulnerable), they can be abused for spying purposes, and they can be used to create malware. This is why, if you read the tweet above again, you’ll note that this latest victory was only possible thanks to multiple already-existing 0-days that VUPEN found and did not disclose publicly. If it had, it would not be able to sell them, nor would it be able to hack Windows 8, as Microsoft would have already patched the flaws long ago.
In fact, this particular set of exploits is already on sale:
Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8
— VUPEN Security (@VUPEN) October 30, 2012
Windows 8 builds on the security improvements made in Windows 7 and Windows Vista, but no software is perfect. Unfortunately, until Microsoft or someone else figures out how VUPEN did it, Windows 8 won’t be patched.
On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago. After all, many have had access to the final version of Windows 8 long before it was released last Friday.
We have contacted Microsoft about this finding. We will update this article if and when we hear back.
Update at 3:55PM EST: “We saw the tweet, but further details have not been shared with us,” a Microsoft spokesperson said in a statement. “We continue to encourage researcher to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection.”
Image credit: Kriss Szkurlatowski