Windows 8 zero-day code available for sale
French security firm Vupen Security on Tuesday announced that it has developed an exploit to take over a Windows 8 machine running Internet Explorer 10, mere days after it was released for general availability last Friday. The "zero-day" or "0 day" exploit was successful in spite of the significantly enhanced security in Windows that was praised by at least one security researcher for "raising the bar and making things harder to exploit."
The public announcement of the exploit was first made on Twitter by Vupen's chief executive Chaouki Bekrar, who tweeted "We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations." The same tweet credited the exploit to Nicolas Joly, who was described as an "Exploiter" at the company.
Vupen has made the news in the past, and we have reported on them demonstrating exploits that broke out of the vaunted sandbox in the Chrome web browser in 2011, and again in September for taking the lid off a Guest-to-Host escape by exploiting a critical memory corruption vulnerability in the Xen hypervisor.
For all the affirmation of its technical prowess, Vupen is not your traditional security company. Instead of sharing the information openly or with the affected vendor, the company derives its business from selling the details on a non-exclusive basis to governments and organizations that are able to afford it.
If it is of any comfort, the improved security in Windows 8 means that your typical script kiddie won't be figuring it out any time soon. Well, unless they have sufficiently deep pockets to pay Vupen.
- check out this article at Forbes