Last week’s Windows 8 launch wasn’t just a major product release for Microsoft. It seems to have been a banner day for the government-funded hackers who take Microsoft’s software apart, too.
On Tuesday the French firm Vupen, whose researchers develop software hacking techniques and sell them to government agency customers, announced that it had already developed an exploit that could take over a Window 8 machine running Internet Explorer 10, in spite of the many significant security upgrades Microsoft built into the latest version of its operating system.
“We welcome #Windows 8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Vupen’s chief executive Chaouki Bekrar wrote on Twitter Tuesday, using an abbreviation for the industry term “zero-days” to refer to security vulnerabilities unknown to Microsoft that his team has discovered in the company’s software, as well as the hacker slang “pwn”–to hack or take control of a machine.
Bekrar’s claim follows up on his promise earlier in the month that Vupen would be ready to compromise Windows 8 immediately upon its launch: “Windows 8 will be officially released by MS on Oct 26th, we’ll release to customers the 1st exploit for Win8 the same day #CoordinatedPwnage”
When I followed up with Bekrar, he wrote to me in an email that the Windows 8 attack would be included in the company’s Threat Protection Program, the defense-focused part of its business, and didn’t answer questions about whether it would be sold as an offensive measure, too. “The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar wrote.
But despite Bekrar’s careful response, it’s no secret that Vupen does sell its customers tools for attacking, as well as defense. As I wrote last March, the company sells exploits non-exclusively to its collection of governments customers for use in intelligence and law enforcement surveillance. A talk that Bekrar gave at a surveillance technology conference in Washington, D.C. earlier this month was titled ”Sophisticated Exploits for IT intrusion and Offensive Security” and offered to demonstrate “how VUPEN’s exclusive and sophisticated exploits taking advantage of computer and mobile vulnerabilities can be useful as attack vectors to remotely penetrate criminals’ PCs and phones (e.g. to install monitoring software) via various attack vectors.”
Vupen’s claim to have defeated the new fortifications Microsoft has built into Windows 8 represents no small feat. The new version of the software comes with an anti-malware application called Windows Defender by default, and replaces Windows’ traditional BIOS–the part of a computer’s memory that boots its operating system and initializes system components–with a system known as Unified Extensible Firmware Interface, which is designed to prevent any tampering that might affect the operating system at startup. It also has revamped a security measure known as Address Space Layout Randomization, which hides programs’ executable commands at random places in a computer’s memory so that a software exploit can’t easily take advantage of a bug in a target application to find and run commands for malicious purposes. And the latest version of Internet Explorer uses an improved “sandbox” mode designed to prevent a hacker who attacks the browser from gaining further access to the system.
Bekrar says that after “many months” of work, Vupen has defeated all those security measures with the new exploit it’s offering to customers, though he didn’t share details.
The value of Vupen’s exploits, after all, depends largely on their remaining secret to prevent the targeted software’s vulnerabilities from being patched. It’s no surprise that the company hasn’t shown its research to Microsoft, according to Microsoft’s director of Trustworthy Computing Dave Forstrom. “We saw [Vupen’s] tweet, but further details have not been shared with us,” Forstrom wrote to me in a statement. “We continue to encourage researchers to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection.”
Vupen is just one of a number of companies that have created controversy in the security community by profiting from zero-day exploits rather than working with software firms to fix the hackable vulnerabilities they use. Other exploit-selling firms include Netragard, Endgame, Northrop Grumman and Raytheon, according to sources I’ve spoken to in the budding industry, and single zero-day exploits that target a popular piece of software like Google’s Chrome browser or Apple’s iOS can sell for more than $100,000. In March, the hacker-friendly Electronic Frontier Foundation spoke out against the practice but was met with a wide backlash from the security community, who argued that banning zero-day sales would represent “giving up freedom for security,” as former NSA hacker and Immunity Sec founder Dave Aitel put it.
Vupen, for its part, claims to sell its hacking techniques only to Nato governments and “Nato partners,” though Bekrar told to me when we spoke earlier this year that controlling the spread of any exploit is difficult. “If you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency,” Bekrar said at the time.
Despite Vupen’s claim that it has already created a working exploit for Windows 8, Microsoft’s new security measures may still stymie less sophisticated hackers, says Wolfgang Kandek, chief technology officer at the software vulnerability-focused security firm Qualys. “Windows 8 has definitely raised the bar. Most attackers won’t be able to do anything against it for the moment,” he says.
But he doesn’t doubt that Vupen’s team of professional exploit researchers has done what most hackers can’t. “I believe Vupen is correct in what they’re saying,” he says. “They’re very bright people, and they’re very good at finding a piece of software’s weaknesses.”