Vupen offers Windows 8 zero-day for sale

By
Follow google news

French outfit claims to have defeated Windows 8 security.

French security company Vupen claims to have defeated Windows 8 security just days after the official launch of the operating system, and has offered a zero-day exploit for Windows 8 and Internet Explorer 10 (IE10) for sale.

Vupen offers Windows 8 zero-day for sale

Vupen offers a number of services, including government-grade exploits for intelligence-service hackers and law enforcement.

The zero-day overcomes security measures such as address space layout randomisation (ASLR), and data execution protection (DEP) Vupen said in a Tweet on Wednesday.

"Our first zero-day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8", said the Twitter message.

Address space layout randomisation helps curb memory-based attacks, and DEP can mitigate applications executing data in certain memory locations, security vendor Kaspersky Lab said in a blog post on Thursday. Return-oriented programming (ROP) techniques help attackers bypass ASLR and DEP, said Kaspersky Lab, in reference to Vupen's anti-ROP bypass claim.

Vupen used a number of zero-days to bypass the Windows 8 and Internet Explorer 10 threat mitigations, Vupen chief executive Chaouki Bekrar said in a Tweet on Wednesday.

"We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations. Congrats to our mitigation mitigator @n_joly", Bekrar said.

Windows 8 launched on Thursday 25 October with a number of low-level security features. For example, Secure Boot uses unified extensible firmware interface (UEFI) instead of BIOS, and early launch anti-malware (ELAM) is a driver that examines other drivers for infection.

Kaspersky Lab said that by claiming a successful zero-day, Vupen also claimed to have cracked these security features.

Microsoft had not responded to a request for comment at the time of writing.

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

National photo licence recognition system set to go live in 2025

National photo licence recognition system set to go live in 2025

Qantas says customer data released by cyber criminals

Qantas says customer data released by cyber criminals

Hackers using F5 devices to target US gov networks

Hackers using F5 devices to target US gov networks

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

Log In

  |  Forgot your password?