November 05, 2012

Vupen discovers Windows 8 zero-day exploit for sale

Controversial French security firm Vupen, which sells software vulnerability information to governments and businesses, has claimed it has discovered a zero-day exploit in Microsoft's Windows 8 operating system and the latest iteration of the company's browser, Internet Explorer 10. Last week, Vupen CEO Chaouki Bekrar tweeted that “various” IE10 and Windows 8 vulnerabilities had been combined to circumvent exploit mitigation safeguards in Windows 8, which was released to the public on Oct. 26. The exploit was reportedly not disclosed to Microsoft, nor was its price made public. Vupen did reveal that the zero-day could allow a particularly skilled hacker to bypass embedded security measures, which include high-entropy address space layout randomization (HiASLR), anti-return oriented programming (AntiROP), data execution prevention (DEP) and protected-mode sandbox.

Related Articles
Related Topics
Related Links

More in News

Twitter begins rollout of two-factor authentication to limit account takeovers

Following a series of high-profile Twitter account hijacks, the microblogging service finally has delivered two-factor authentication.

Commission offers suggestions for stemming online spy threat from China

The 100-page report mostly addresses alleged Chinese cyber espionage operations, and suggests it's time for U.S. government agencies and corporations to consider more proactive approaches, possibly including hack-backs.

Researchers link "Sunshop" group to recent espionage attacks

The IE exploit was most recently used in watering hole attacks directed at the U.S. Department of Labor website.