VUPEN Finds Windows 8 Security Flaws – But Won’t Tell Microsoft

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

VUPEN will tell its customers, not Microsoft, about Windows 8 and IE10 vulnerabilities

VUPEN, a controversial zero-day vulnerability merchant,  claims to have found various holes in Windows 8 security, which could hand hackers complete control of a user’s operating system.

Since its launch on 26 October, Windows 8 has been the subject of much scrutiny, not least from hackers looking to exploit the new operating system. Trend Micro uncovered malware targeting the OS earlier this week.

Now VUPEN, which recently confirmed plans to set up an office in the UK, confirmed to TechWeekEurope it had found a number of flaws across the Microsoft OS and Internet Explorer 10.

Microsoft left in the dark

Microsoft will not be told about the French company’s findings, however. VUPEN only informs its customers about flaws it finds and does not tell vendors – something that has attracted criticism from members of the security community.

“We have researched and discovered multiple vulnerabilities in Windows 8 and Internet Explorer 10 that we have combined together to achieve a full remote code execution via a web page which bypasses the new exploit-mitigation technologies included in Windows 8,” VUPEN CEO Chaouki Bekrar told TechWeekEurope.

Microsoft said it was aware of tweets from VUPEN on a Windows 8 flaw. “But further details have not been shared with us. We continue to encourage researchers to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection,” said Microsoft’s Trustworthy Computing director, Dave Forstrom.

But VUPEN had plenty of praise for Windows 8 security, noting a number of the additional features such as a “robust” IE10 Protected Mode sandbox and anti-return oriented programming (anti-ROP) technologies. ROP attacks see code in memory rearranged to form a malicious payload.

Defeating Address Space Layout Randomisation (ASLR) has become increasingly hard too, according to Bekrar. ASLR strengthens system security by randomising the memory layout of an executing program, decreasing the probability of exploiting a known memory manipulation vulnerability.

Windows 8 security praise

“As for any new technology, the VUPEN research team has been working for many months to get an in-depth knowledge of the security of Windows 8 and Internet Explorer 10 before their public release, and we can say that this new Microsoft operating system is definitely the most secure version of Windows so far as it includes a huge number of exploit-mitigation technologies,” Bekrar added.

“We do not expect to see, in the short term, attackers creating an exploit for Windows 8 and Internet Explorer 10 as the cost would be too high.”

Some will remain upset VUPEN will not share its findings with Microsoft. Many want exploit sellers like Bekrar to share their information with vendors, so when patches do appear, all users are protected. But that would harm the VUPEN business model. It is believed exploit sellers can make as much as $500,000 from just a single vulnerability and the accompanying tools used to attack it.

Earlier this week, chief research officer at F-Secure, Mikko Hypponen, told TechWeekEurope he did not see companies like VUPEN as being part of the security industry.

“What I hate is that these exploit brokers or exploit exporters see themselves, in some cases, as part of the security industry and they absolutely are not part of the security industry,” he said.

“These companies are not interested in securing anything at all. Quite the opposite – they are interested in keeping these flaws in the products forever. They go to great lengths to make sure Microsoft or Google don’t patch, or Siemens doesn’t patch, so they can sell their goods for a longer time. So they are not in the security industry.”

Are you a security pro? Try our quiz!