Company claims to have found zero day Windows 8 exploit

Has Windows 8 been broken just a few days after its launch? A French security company called VUPEN claims to have found such a zero-day exploit and is now selling that information to companies.

VUPEN says in a Twitter post that they have found a way around the security features for both Windows 8 and Internet Explorer 10. It is now selling that information to any companies or governments willing to pay lots of money to protect their Windows 8 systems.

VUPEN is a bit controversial in the computer security business in that it does not actually tell companies like Microsoft what kinds of exploits it has discovered. Microsoft has made much of the fact that Windows 8 uses the Unified Extensible Firmware Interface, or UEFI, to help better protect its newest PC OS.

In a statement, Microsoft says, "We saw the tweet, but further details have not been shared with us. We continue to encourage researchers to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection.”

Via: TheNextWeb.com
Source: VUPEN on Twitter

Report a problem with article
Previous Story

BUILD 2012: Neowin on an 82 inch touch screen

Next Story

Microsoft closes Microtropolis in NYC due to Hurricane Sandy

48 Comments

Commenting is disabled on this article.

To NeoPogo: Win8 came out a week ago, it's quite normal that somebody find a few flaws somewhere !

I definitely think that their methods are quite not ethics, but that's true, in the world we live in working for hours and hours on a specific goal, should pay.

If I was them, i would surely inform Microsoft first that i found a 0day, I'm sure Microsoft would be willing to negotiate on a payment settlement, then, the end-user could be on a more secure workstation ! Which is the main goal, I think, when working in computer security.

You would think that Microsoft can now sue this company for being part of a crime. Because thats exactly what they are doing, aiding and abetting a crime by selling their tool to another criminal.

No government or company in its right mind would be using Win 8 anyway ... it will be interesting though once the general public starts getting Win 8 focused malware... can't wait to see the first person with live tiles scrolling porn hah..

Hello,

VUPEN is well-known in the security field, and regardless of how people may feel about their business model, their research has always been of high quality. I have no reason to doubt that the announcement by them of a Windows 8 vulnerability is, in fact, legitimate.

Regards,

Aryeh Goretsky

goretsky said,
Hello,

VUPEN is well-known in the security field, and regardless of how people may feel about their business model, their research has always been of high quality. I have no reason to doubt that the announcement by them of a Windows 8 vulnerability is, in fact, legitimate.

Regards,

Aryeh Goretsky

So instead of telling MS about the exploit so that THEY can fix it, the want to sell the info to companies so they can protect themselves. Woudn't protecting themselves mean allowing MS to patch the vulnerablity? Not being sarcastic, I'm just being serious. Maybe I'm missing something.

Why would they ?

finding security holes require time and money. Why would they work for MS for free ???

MS has enough money to pay and they should pay those guys for their hard work.

jimmyfal said,

So instead of telling MS about the exploit so that THEY can fix it, the want to sell the info to companies so they can protect themselves. Woudn't protecting themselves mean allowing MS to patch the vulnerablity? Not being sarcastic, I'm just being serious. Maybe I'm missing something.

You are missing the fact that when they would tell Microsoft directly, they won't make as much money as they do with selling the information to governments or other companies.

Besides, protecting yourself might not the only reason to buy such information. Governments pay a lot of money for 0day exploits so they can do, for example, targeted attacks.

goretsky said,
Hello,

VUPEN is well-known in the security field, and regardless of how people may feel about their business model, their research has always been of high quality. I have no reason to doubt that the announcement by them of a Windows 8 vulnerability is, in fact, legitimate.

Regards,

Aryeh Goretsky

I found a typographical error in your comment. I will tell anybody more about it for a fee.

buksnatata said,
Microsoft should really sue this company it is blackmail but yes like brony said it is microsoft fault.

How is it Microsoft's fault. I don't even like Microsoft, but it's definitely not their fault. Every piece of software has flaws. Especially this new and this complex.

I disagree with some comments. This company is blackmailing Microsoft however, who is the guilty?, Microsoft.

Brony said,
I disagree with some comments. This company is blackmailing Microsoft however, who is the guilty?, Microsoft.

Guilty of what? Congrats, you've blaming the victim.

Brony said,
I disagree with some comments. This company is blackmailing Microsoft however, who is the guilty?, Microsoft.

No software is without flaws. NONE.

It should be against the law to sell this type of information. I hope someone kicks them fair in the nuts. More than once.

wow,so they found an exploit in windows, which has all of its file system and files available,and all of its ram unencrypted and easily dumpable,and so many analysis tools available at its disposal. What do they want us to do, kiss their ass? I'm sure others have already found some exploits already,but they are not trying to whore themselves out like this company.

it wont be long before some one else finds the info and does the ethical thing and release the info
to those who need to know how to fix it.

offroadaaron said,
Will MS pay them for it to find out what it is and stop it.

No. MS will only pay something like $100K if it's incredibly serious, jokers like these want a lot more than that.

offroadaaron said,
Will MS pay them for it to find out what it is and stop it.

If I were MS, I'd sue the **** of out of them, and force them to give me advanced notification for FREE when they find security flaws in my stuff. This is not the first time they've done stupid **** like this and if you ask me it's pretty ridiculous.

When a flaw is found for Windows, it's called a 0-day exploit. When a flaw is found in an Apple product, it's enthusiastically hailed as an opportunity to jailbreak.

rfirth said,
When a flaw is found for Windows, it's called a 0-day exploit. When a flaw is found in an Apple product, it's enthusiastically hailed as an opportunity to jailbreak.

I just now found out how much it hurts to spray Dr. Pepper out your nose from loling so hard. Thank you sir for this eye opening experience.

Notice the tweet was October 30, apparently no one cares since this hasn't been reported until today. They need to work on 0-day tweets.

siah1214 said,
Douchebags.

To expound on this, it sounds like they're saying "secret, secret, I've got a secret, now pay me a boatload of cash to find out what it is"
It may be an effective business model but it's a douche one.

"It is now selling that information to any companies or governments willing to pay lots of money to protect their Windows 8 systems." which amounts to what? Three?

Breach said,
"It is now selling that information to any companies or governments willing to pay lots of money to protect their Windows 8 systems." which amounts to what? Three?

Probably means any hacker willing to pay....

Breach said,
"It is now selling that information to any companies or governments willing to pay lots of money to protect their Windows 8 systems." which amounts to what? Three?

Actually, it is over 4 million, and that was in 4 days, and only upgrades.

nohone said,

Actually, it is over 4 million, and that was in 4 days, and only upgrades.

I am referring to the 'companies' and 'governments' bit. I work for a governmental organisation and we have finished our Windows 7 migration last month.

Breach said,

I am referring to the 'companies' and 'governments' bit. I work for a governmental organisation and we have finished our Windows 7 migration last month.

Still, want to prove only three have switched?

nohone said,

Still, want to prove only three have switched?

You seriously think people have switched to Windows 8 in a company? Seriously . . .

erikpienk said,
****ing greedy companies make this world worse for everyone

Very true, but in this day and age, which large companies aren't greedy?