Domain: vupen.com
Stories and comments across the archive that link to vupen.com.
Comments · 15
-
exploit vendors
Of course there are links, there are even companies specialized on it
-
VUPON says they have standards.
Only Available for trusted organizations
Because of the sensitive nature of the information provided through this service, VUPEN Security has defined strict eligibility criteria for participants. VUPEN Security solely reserves the right to determine whether an organization or corporation meets the criteria.
Eligible organizations are:
- Trusted Security Vendors Providing Defensive Software or Hardware (Antivirus, IPS, IDS)
- Governments, Law Enforcement, and CERTs (countries members of NATO, ANZUS, ASEAN)
- Worldwide Corporations and MSSPs (Fortune 1000, Finance, Technology, Research)So all I have to do is register a corp called "Highly Trusted Security Vendor", subscribe, and profit?!
-
Ever heard of Vupen?
http://www.vupen.com/english/
"defensive and offensive cyber security". Helsingin Sanomat, biggest newspaper in Finland, claims the company is selling security holes (most likely accompanied with easy way to use them) for governments and intelligence agencies.
In Finnish: http://www.hs.fi/ulkomaat/Tietoturva-aukoilla+tahkotaan+miljoonia/a1371264995752 -
Re:Windows 8 Is Failing on It's Own
-
Arguably even worse than that...
There is an unfortunate additional quirk in this case: Since, naturally, the 'cyberwarriors' don't want to be stuck purely in the tedious and thankless job of playing defense, there is a demand for 'offensive capabilities'. This creates a perverse incentive: If a flaw is disclosed and patched or mitigated, it is no longer of offensive utility, so now the market for zero-days and exploit payloads isn't just black hats, scammers, and criminals; but 'respectable' defense industry types.
This is not a merely theoretical problem.
VUPEN is the crass, attention-whoring, bad-boy of the industry; but practically the entire who's-who of staid, tight-lipped, defense contractors has a division peddling bugs somewhere in the business.
Even if we were 100% warm and fuzzy about the use these exploits are being put to by these firms customers(Only the good guys, pinkie swear!), this situation is insane from the perspective of actual 'security'. Whose economies, financial systems, and infrastructure depend most heavily on complex IT systems? Ummm, mostly wealthy developed countries. Whose citizens are most vulnerable to electronic compromise of financial information and such? Countries with high rates of internet penetration and lots of computers. Who has the capability to deploy electronic attacks against unpatched vulnerabilities? Virtually everyone.
In addition to the usual grab for rights and money, this 'cybersecurity' industry begets insecurity, because of the demand for 'offensive capabilities', despite the fact that we are the ones with the most to lose in an insecure environment. At least classic corporate welfare military R&D is merely expensive, and once you hand over the money, Raytheon or whoever goes off to build some impractical toy that is largely useless; but at least largely harmless.... -
Re:Not really important to me
Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042
This is exactly why I manually telnet to each website's port and issue GET requests directly
-
Re:Not really important to me
Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042
-
Re:Affected software list
Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.
Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?
Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:
Now, while 1% seems a trivial number, it is actually quite large when installed base is taken into account... or only a few million machines.
Then add to that, such an exploit can be attempted multiple times on a machine, which raises the likeliness of the exploit working.
And here's one more recent that states it is even more likely and has been proven to be possible:
Hmmm... does that one sound familiar? Maybe the one this patch is supposed to address?
Or this one: Crappy Ass Microsoft Javascript implementation vector for bypassing DEP
And one that was made available to govts and large security software vendors: DEP being bypassed
And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit
Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.
Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.
But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.
Hmmm... I dunno... what did the
.NET stuff do for both Firefox and IE? Is .NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.
True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent
.NET patch.Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.
If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.
When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).
If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.
I agree... but that is not needed in vari
-
Re:How do we know it's not already in use?
Yes, it only deserves a rating of Moderate. It's not remote and requires local user intervention. This is pretty much the definition of a moderate vulnerability.
The industry appears to agree with me:
http://secunia.com/advisories/38265/
http://www.vupen.com/english/advisories/2010/0179 -
Re:Cover your eyes
-
VUPEN have found a way to bypass DEP
-
Re:Yay, tight integration of browser with OS...
It would be deeply, deeply wrong if IE was the only way to get infected. The vulnerability is quite interesting -- it can be invoked by crafting a special Embedded OpenType (EOT) font file, which then exploits a vulnerability in kernel mode driver that parses font code. So you can be exploited using Microsoft Office, Wordpad -- anything that can display EOT-embedded fonts. All you have to do is open a document containing the offending font. Of course, IE is easy to exploit because all you need to do is put up a web page.
Note that Windows 7, in which most drivers are back in user space, is not vulnerable to this exploit. Killer reason to upgrade, imho. This is also the reason most video driver crashes don't crash Windows 7 -- the display is simply re-initialized.
-
Re:"RE"-introducing?
Sometimes we don't know things until we know them, alas.
No kidding! Like this one:
http://www.infoworld.com/d/security-central/critical-linux-kernel-bugs-discovered-440
or this one:
http://www.doecirc.energy.gov/bulletins/t-029.shtml
or this one:
http://www.vupen.com/english/advisories/2007/3860
or these:
http://secwatch.org/advisories/1021203/
Gosh! Linux has flaws, just like Microsoft. The only difference is usually in the turn around time for a patch. But how well tested is that Linux patch? Anyone remember how v2.6.23 broke VMWare server? Oops. Of course, Microsoft has broken its fair share of products also, but on the whole in the past several years, Microsoft has released much better tested and complete patches than Linux.
How many Linux folks here are running kernel v2.6.30.5 or newer? On your production server? No? Why not? Oh, waiting for stability/fixes/security to be well tested first...
Microsoft has a longer release cycle than Linux, get over it already. -
Re:Not PDF vulnerability ... Adobe vulnerability
You are mistaken! Open source implementations also got it wrong, it isn't just Adobe. See for example problems in poppler here. Since there are apparently different problems in several independent JBIG2 format implementations, maybe the format specification isn't as clear as it should be?
-
Actually, Microsoft missed patching TWO exploits
0-day for Internet Explorer v.7 is in the wild and was not patched yesterday
http://isc.sans.org/diary.html?storyid=5458
http://www.vupen.com/english/advisories/2008/3391
http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/Internet users located in China report infections that result when using IE 7 to browse booby-trapped websites. Researchers from McAfee investigated the matter and found the exploits successfully target the Microsoft browser on both Windows XP Service Pack 3 and Vista SP 1.