Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10

An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."

Re:have fun hacking a OS that few want to run

[BronsCon]

Well, it's more than 01, less than 11, and still only a 2-bit binary integer.

Re:

[Doctor_Jest]

Up to, but not including, 10. Reads like an old Sun Microsystems license agreement, doesn't it? I remember their legalese included the phrase "up to, but not including, 2 processors" on a Solaris 9 agreement. :)

Re:

[tuppe666]

Its a pretty common quote, basically its about the unloved and unwanted Vista

http://www.microsoft.com/en-us/news/exec/steve/2008/10-12AdDay.aspx [microsoft.com]

"STEVE BALLMER: Vista is our best selling product ever. So, if that takes too much getting over -- we're not going to have products that are much more successful than Vista has been. We sold over 180 million copies in the first 18 months, quite successful."

Re:

[wonkey_monkey]

IE8: See IE7, they never fixed the bug.

What bug, specifically, is this? Or have you just screwed up your IE and you're intent on blaming it on Microsoft?

Re:

[hawkinspeter]

How do you screw up a browser unless you're changing it's code?

Re:

[mcgrew]

Screwing around with the registry. The wrong registry entry in the right place will cause any program to go "boom".

Lesser Target Security.

[TechyImmigrant]

I thought that little used operating systems were less vulnerable because fewer hackers would target them compared to popular, mass market operating systems such as Linux and MacOS.

Re:Lesser Target Security.

[Shoten]

Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.

Re:

[Desler]

For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched.

You mean programs like Java and Flash were full of vulnerabilities. Also, people manually installing trojans on their system is not an OS vulnerability. Care to share these "vulnerabilities" that weren't in third-party software or malware that users were installing themselves? Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Re:

[tlhIngan]

Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Safari has/had nasty bugs that took advantage of the "auto-open safe files" default setting, which I think counts as they're distributed by the same vendor as the OS and it comes preinstalled.

I think QuickTime is similar as well a few malicious MOV files can get you hooped.

Bunches of flaws in the open-source software it comes with as well (though we usually attribute that to the software on Linux, and to OS X on OS X. S

Windows insecure, Linux difficult

[aNonnyMouseCowered]

I guess plenty of Slashdot discussions still revolve around the "reputations" these two OS types established at the start of the millenium. It's nice for a joke or two, or for some clueless fanboy to rant about. But the latest Windows and Linux releases are roughly at the same level of in/security and difficulty/ease of use, bar things like misbehaving user pograms and unsupported hardware. The moral here maybe that if you're starting a new software product you have to put equal attention into these two thi

Re:

[TechyImmigrant]

The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

Software? I design cryptographic hardware for a living you insensitive clod!

Re:

[Anonymous Coward]

Bull [cough] Shill [cough] Shit

Re:

[Seeteufel]

I expect those fanboys to run Windows 8s = Windows Aids and search for bugs and vulnerabilities. Actually, I never had a virus with Linux, and my drupal server was only once compromised. The reason I like windows is that third party apps just work, the reason why I use Linux is the shell and multiple desktops. I mostly need Firefox and Thunderbird and Irssi, that is all.

Re:

[mevets]

MicroSoft released a pretty decent surface.

crickets..

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

You can side-load apps on RT. ;)

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Windows RT?

[cbhacking]

Actually, getting a sideloading key is dead easy. You have to run Powershell as Admin, then type Show-WindowsDeveloperLicenseRegistration (or just "show-wi" and hit Tab). Enter Windows Live credentials - anything, including a throw-away account created for the purpose, will work - and boom, you are unlocked for sideloading. Works on Windows 8 (Pro, Enterprise, or otherwise) and on Windows RT (tested it on a Surface).

http://msdn.microsoft.com/en-us/library/windows/apps/Hh974578.aspx [microsoft.com]

I don't know what's up with that old data that says you can't. That's been bouncing around for almost a year, and as far as I can tell it was *never* true, even on pre-release versions. You've been able to unlock Win8 for sideloading since the first preview builds came out! It's as though there's two completely different teams talking about this. Well, three (the one that says *only* Store apps are allowed) but the last one is the marketing team trying to keep the n00bs from getting confused; they are safely ignorable. Fortunately, the team that supports the more open approach is the one that is correct.

Re:Windows RT?

[Microlith]

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system. It's more akin to Apple's extreme restrictions on side loading than Android's 3rd party sources checkbox. The only difference is that Microsoft isn't charging you $99 to get one. You're still at Microsoft's mercy, and no one can use your application unless they too are capable of repeating the steps.

I don't know why people keep defending this. It's designed explicitly to inhibit people from using it and bypassing the store.

Re:

[westlake]

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system.

Let's be honest here:

The geek sideloads.

The convenience and security of the app store and the apps sideloaded by their school, employer, etc., trumps all other considerations for others. How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

Install Visual Studio Express and the recreational or student programmer can renew his key in one or two clicks.

Re:

[graphius]

How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

First, "casual Linux" LOL
second, Many linux users use apps outside their distro. have you ever heard of a program called make?
Ubuntu specifically created ppa's to allow 3rd party programs.
Fedora used to be famous for dependency hell, where required programs or libraries were not available in the repository....

yeah, let's be honest here....

Re:

[cbhacking]

There are certainly casual Linux users. Not terribly many, compared to other desktop OSes, but they exist. I've had to do tech support for a few of them.

Anybody who can install the build tools (for those silly distros which don't include them) and run

tar xzf [tarball] && cd [folder] && ./configure && make && sudo make install

on Linux can handle the process to sideload on Win8 just fine, which is what this thread is about. As you (rightly) point out; plenty of people do it.

Re:

[graphius]

I agree with what you are saying, although I still feel most Linux users are in the top percentile of computer competence. Linux tends to encourage learning and knowledge (except for the newer Ubuntu releases....:~), while OSX, and especially Windows tends to discourage the same...

Android is a different beast. I would say that most people do not use their phones as computers, but as the infamous "consumption devices". They are appliances.

As for Win8-RT? It seems to be a bit of an unknown. Some people are sa

Re:Windows RT?

[Anonymous Coward]

Well - that was the main complaint about Linux.

And now -using windows- it is suddenly a no-brainer?

Wow... just wow!

Re:

[Cowmonaut]

Alright, throwing away mod points but you are completely dead wrong. You clearly do not understand how sideloading works in Windows 8.

Per Microsoft, sideloading is installing an app without the Store. With Windows 8 you have to have two things in order to sideload an app:

1. You need either the fully packed installer (which you cannot apparently save on your computer and can only download through the Windows Store app proper; going to the Windows Store page in a web browser doesn't give you any options to

Re:

[cbhacking]

I'm terribly sorry about your mod points. Hopefully, in the interest of them not being completely wasted, you'll learn something:

I'm right, and I know because I've done it. How much experience with Win8 / Windows RT sideloading do you have? I'm guessing moinimal to none, because (to use your own words) "you clearly do not understand how sideloading works on Windows 8." Or rather, you may understand how APPX provisioning into an install image works, but you have no clue about how sideloading (in the sense th

Re:

[Rexdude]

I don't get it, does this refer to Metro apps? I upgraded Win 7 Ultimate to Win 8 Pro on my desktop, and it hasn't affected my ability to install regular windows applications at all. In fact, I use Classic Shell to bring back the old start menu and I don't use the Metro UI at all.

Re:Windows RT?

[tuppe666]

Windows RT is going to be hell its hard to find actuate reliable information about anything. From wikipedia http://en.wikipedia.org/wiki/Windows_RT [wikipedia.org] it claims.

"Perhaps the biggest change is that Windows RT will only run applications that have been included in Microsoft's App store. This requires certification by Microsoft that they consider the application to be suitable."

and obviously

"Users will not have an option to disable UEFI secure boot on Windows RT systems. As a result, only operating systems that have been signed for secure boot by their developers can be installed"

Re:Windows RT?

[tuppe666]

I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[__aaqvdr516]

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet. The grass isn't always greener on the other side of the fence. The only difference between the grass is that different dogs shit on either side. I've flashed many different ROMs to my Kindle, I've owned a Playbook, I have a Linux netbook. Pretty much every OS sucks in it's own special way. If the only thing that sucks about Wi

Re:Windows RT?

[tuppe666]

I'm sorry to disagree with you. Clearly you have an issue with Google. It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space. They are advertisers just like Apple and Microsoft.

On the point of privacy. Clearly you have not installed Windows 8. Its defaults are appalling, and your being insincere in implying Microsoft is better.

The bottom line though is I personally would like a device where I can choose to install whatever OS. The reason being I personally quite like the look of the oversized trackpad on Chomebook , and the ability to install Debien, and it beong Good Value, all three features lacking on windows rt devices.

Re:

[__aaqvdr516]

This is straight from the Google privacy page:

http://www.google.com/intl/en/policies/privacy/key-terms/#toc-terms-sensitive-info [google.com]

Information we share

We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:

With your consent

We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive pe

Re:

[Raenex]

It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space.

Where "targeted AD space" is based on information all about you. Maybe they aren't reselling your name + information, but they sure are collecting it. Facebook requires real names, and Google has gone chasing after that policy, starting with Google+. Just the other day YouTube oh so helpfully wanted me to upgrade my account to my real name. I was able to decline it... for now.

Re:Windows RT?

[thoth]

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet.

So Microsoft has stated they will guarantee full privacy of your info that is stored in SkyDrive?

If your going to pull the "grass isn't always greener" argument, then Microsoft still loses, as their device is more expensive, will everything else (their treatment of your data) the same.

Re:

[LordLucless]

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet

Well, gee, it's lucky Google doesn't scan, categorize and resell very piece of information on your device then, isn't it? FUD much?

Re:

[Anonymous Coward]

The only part of that statement that can be debated is "resold." But you can be damn sure the other verbs apply.

Re:

[LordLucless]

Well, thank goodness I've got your assurances Anonymous Coward.

Re:

[blind biker]

If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

Windows RT (WinRT is the new API, Windows RT is the new OS) is not "closed", it is closed, and that's not the only thing that sucks about it.

Re:

[pentadecagon]

With Microsoft you have worse privacy than with Google. They collect at least the same amount of information, and because everything is closed you never know what else they transmit and collect.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hack Windows?

[ThatsMyNick]

I tried that. But it did not hack the computer I was trying to hack. And now my computer is not working either.

Re:

[History's Coming To]

Next time try targetting 127.0.0.1 - it's a far easier target.

Re:

[cdxta]

don't forget /q

4 chained flaws to be exact!

[stillpixel]

1. They bought Windows 8. 2. They Installed Windows 8. 3. They connected Windows 8 to the internet. 4. They surfed goatse with IE10.

Re:

[History's Coming To]

+1 Insightful. The computer savvy of Windows users will always be its weakest point, purely because of it's the only interface for "I hate computers" people.

Re:Hardly surprising, it's still a baby.

[hobarrera]

It's sad to see that MS has dominated the market for so long that exploits seem accetable and it's insightful to claim this. Software should be well-written before you start charging for it. Period.

OpenBSD has only had 2 remote security holes in several dozen releases, in over 15 years. Why is it acceptable that something you pay for has had thousands more every release?

Re:

[smash]

Actually, these days they are. Firewall on by default on all versions. UAC on by default on all versions. Server core install suggested during server installation. IE secure mode on by default. Install X11 and a desktop environment on OpenBSD, compare to a client version of Windows and we're somewhere near being in the ballpark as far as a valid comparison goes.

If you want to compare without X11 and a desktop environment, then compare to Windows server core install.

Re:

[jones_supa]

How surprising some slashtard were to mod you down.

Not suprising at all

[SmallFurryCreature]

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

LInux user: You can run proftp for a simple open ftp with just one directory in a chroot jail so it is perfectly safe and accessible.

Basic openbsd is plain useless and out of date, start updating and adding stuff you need, and they stop c

Re:

[hobarrera]

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

Whoever gave you this answer is a moron. There's no plaintext password if it's an FTP for anonymous users.

Re:

[1s44c]

That's a big overreaction. The OpenBSD base system comes with lots of nice stuff, it does mail, web, NTP, and DNS for example plus all sorts of cool networking and firewalling tools. FreeBSD has native ZFS so don't tell me that BSD's lack cool toys.

The problems you describe are not due to the operating systems involved, but the people and policies. There is no reason why you can't run an anonymous FTP server on *BSD.

Re:

[smash]

Yeah tell me about it. The "I don't agree" = mod down. This place used to be worth hanging out on for actual discussion rather than anything critical of any sort of open source being modded down into oblivion.

Re:

[TechyImmigrant]

802.1X is an essential security feature?!

How did we survive before EAPoL?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hobarrera]

Software should be well-written before you start charging for it. Period.

How do you assess if it's well written?

From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.

What would you suggest they do to reach your level of 'well written'?

It's not too hard to determine when it's "well written": it's basically when the default install does not have security holes. ie: not like windows.

OpenBSD has only had 2 remote security holes in several dozen releases

Out of the box with the default installation.

Windows has security holes out-of-the-box with all the defaults set. No system is safe if a user reconfigures it. What OS can protect me from a user who sets his password to his birthdate?

Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user

The installer quite clearly offers a choice to create a non-root account

, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target)

This is only enabled if you skipped the step in whice you can create a non-root user. If you only have

Re:

[volxdragon]

Like any piece of software, it will take a while before it is provably secure.

Provably secure? *snicker*

Re:

[BPPG]

Exactly. For example, I can prove that Windows 3.1 is secure on a modern network.

Re:

[smash]

No it's not. Just because Windows 3.1 malware is not currently running rampant, it doesn't mean the old exploits like WinNuke (and others) aren't still available if someone wants to target you. In fact, if someone can exploit ANY application in Windows 3.1, they have system level access, as the old Windows versions prior to NT were not multi-user, and only had one security context.

Re:

[smash]

It was a conversation point, jackass. Given there were holes you could drive a truck through in the Windows 9x TCP/IP stack, I would bet my house that there were also similar sized holes in the 16 bit Windows 3.1 TCP/IP stack shipped with the IEAK for 16 bit IE, and also trumpet winsock of the day as well.

And as per my original post - ANY exploit in ANY software for Windows 3.1 would result in full privileges, as there was no multi-user security model.

Re:

[gewalker]

You don't know much about VUPEN [forbes.com] -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

Re:

[1s44c]

You don't know much about VUPEN [forbes.com] -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

If low-lives can find these zero days how come MS with their massive profits and massive install base can't find them first and fix them?

Maybe because fixing Windows is like polishing a turd.

Christmas

[koan]

Is what it must be like for malware authors when Microsoft releases a new OS.

Not surprising

[Richy_T]

Security generally advances through evolution, not revolution.After making significant advances in security from 3.1 to XP, Microsoft is all out of evolution and so they're just throwing in random shiny (and they've even run out of the semi-good stock of that).

So new code just for the sake of it and is it any wonder bugs come along with it?

This is important ...

[stevez67]

... NOT. All the fuss about zero day exploits and the only people who ever use them are the ones who find them and the engineers who plug the holes. No big take-down of masses of people, no crippled companies, no nothing.

Re:

[BPPG]

only people who ever use them are the ones who find them and the engineers who plug the holes.

If people were going to use a 0day maliciously, then they wouldn't have announced it. In which case the engineers wouldn't be involved until after it was found in the wild.

Re:

[Anonymous Coward]

VUPEN isn't going to use the zero day maliciously. They're just going to sell it to the highest bidder. Because that's the company's business model.

Thing is...

[WillyWanker]

The sad thing is they think anyone actually cares.

If I may be allowed to...

[empgodot]

Even though I lack any surprise in this announcement, and would actually have been surprised if no 0-day had arisen within the first week after release, please kindly allow me to express, and excuse if it may sound a little childish, my first reaction:

lol

Not shocked

[ledow]

It took me nearly a day to get a "Active Directory Users and Computers" icon on my Windows 8 Pro VM.

- First I have to download RSAT.
- It errors with random hex-code when run.
- Much googling (and no help in the MS KB) later, I find out it doesn't like being on a mapped shared drive (which is what VMWare uses for it's shared drive with the host).
- Copy to C:\, run it.
- It installs without error, but nothing happens after (nothing in Windows Features related to remote admin tools, no new icons).
- Much googling (and no help in the MS KB) later, it turns out I don't have the en_US language installed and it won't work without it (despite the computer being en_GB!) but will just die silently.
- Go to install language, get empty language lists.
- Think they must be on the CD, so point it at the original CD image. Nope. Nothing useful.
- Much googling (and no help in the MS KB) later, it turns out that because I'd disabled Windows Search, it totally stops the list of languages populating.
- Enabled Windows Search.
- Installed language.
- Still no joy.
- Much googling (and no help in the MS KB) later, it turns out that because I have disabled Automatic Updates, it won't actually download the language pack (or error, or tell you that, or anything).
- Re-enabled, got the language pack (150Mb!)
- Reinstalled the MSU
- Finally get "Users and Computers".

It doesn't shock me that in that mess of code there might be a security feature or two that's lax. I mean, seriously? Half the things had no error code or even message to say they weren't going to work or why and those that did provided zero useful information.

- You can't install an MSU from a network-mapped drive (even if it appears as a mapped drive Z:!)
- You can't install RSAT with only en_GB enabled.
- You can't even see the languages available without Windows Search enabled (WTF?)
- You can't install a language without Automatic Updates enabled (Again, WTF?)
- You have to know all this to get Users & Computers working (which, if I remember rightly, is installed by default on most "Pro" versions of Windows or at worst was an Add/Remove Windows Feature kind of deal from the initial install disk).

I'm not surprised, with that amount of cross-interaction between COMPLETELY unrelated components, complete lack of user feedback, and random interactions, that there's a few security problems cropping up.

And that's not even the worst experience I've had with a clean Windows 8 VM image from an official Windows 8 ISO with a proper Windows 8 Pro Product Key. I actually managed to BSOD the VM within hours of install, not by even doing anything remotely interesting.

Re:

[cyber-vandal]

I feel your pain. Microsoft Dynamics CRM regularly throws up such gems as "An unknown error has occurred" which you then have to spend days trying to figure out via Google or in extreme cases disassembling the DLLs. Microsoft just seem totally averse to providing decent error messages or any documentation to suggest what caused the error message. I see the new blue screen doesn't have any "scary" useful information on it any more either.

Re:

[bertok]

I had a similar experience when I was asked to evaluate Hyper-V as a potential replacement for VMware ESX server. The installer failed because I didn't use the en-US keyboard.

I laughed, didn't even bother trying to fix the problem, and told my boss that there's no way in hell we're trusting our infrastructure to a hypervisor that depends on the keyboard layout to function. That's a blatant sign of shoddy engineering.

Here's another example for you: Windows Server 2008 R2 will not run a PowerShell script from

I don't believe it!

[1s44c]

Security holes! In Windows!

It's just like every other release from Microsoft then, bug ridden and insecure.