Friday, 2 November 2012

VUPEN Pwns Windows 8 & IE10

Windows 8 (used with permission from Microsoft)
Windows 8 is pwned. IE10 is pwned.

Yes, already. But you're unlikely to hear much in the way of detailed descriptions of the multiple, preexisting zero-day vulnerabilities chained together to effect these new ones. That's because their discoverer is essentially a black hat: the French security firm VUPEN.

With all the talk about cyber security, cyber wars, and preemptive legislation coming from ploiticos east and west, you might have thought that governments would be among the first, and most willing, to condemn and criminalize a company like VUPEN. This is an organization whose business model is to discover security holes in the products of giants like Microsoft, Google, or Apple, then rather than disclose these flaws for patching, sell the information to the highest bidder for use in arbitrary attacks.

Follow The Money

Patching would make everybody safer, and increase our confidence in the various devices and services we have to use every day, but it doesn't carry the same high financial rewards as selling your knowledge to whomever wants to exploit it most. Meanwhile, those governments we rely on to make the best choices for us, to legislate and protect us, yada yada... well it turns out, those are exactly the kind of people who most desire the ability to intercept, spy on, record, even to corrupt or otherwise modify, our communications, activities, and sundry interactions with others. And, of course, they have the resources to get themselves into that highest bidders' club.

So today, we learn that Microsoft's best, most advanced and up to date security features are broken. VUPEN is already advertising and selling malware kits offering the buyer exclusive access to everything on your Windows 8 machine. Worst of all, Microsoft will probably remain unable to patch these vulnerabilities, whose nature is so closely guarded by the baddies. On the other hand, that does limit the number of agents able to exploit these holes - you might see that as a kind of mitigation.

Hat tip: TheNextWeb

No comments:

Post a Comment