Slashdot Mirror
Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10
An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."
I thought that little used operating systems were less vulnerable because fewer hackers would target them compared to popular, mass market operating systems such as Linux and MacOS.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Its a pretty common quote, basically its about the unloved and unwanted Vista
http://www.microsoft.com/en-us/news/exec/steve/2008/10-12AdDay.aspx
"STEVE BALLMER: Vista is our best selling product ever. So, if that takes too much getting over -- we're not going to have products that are much more successful than Vista has been. We sold over 180 million copies in the first 18 months, quite successful."
I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.
On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago.
And who thinks that other hackers won't figure this out?
More precisely, who says the other hackers would disclose it if they found such vulnerabilities? There's plenty of profit to be earned in vulnerabilities in the black market.
I tried that. But it did not hack the computer I was trying to hack. And now my computer is not working either.
1. They bought Windows 8. 2. They Installed Windows 8. 3. They connected Windows 8 to the internet. 4. They surfed goatse with IE10.
Is what it must be like for malware authors when Microsoft releases a new OS.
"If any question why we died, Tell them because our fathers lied."
It's sad to see that MS has dominated the market for so long that exploits seem accetable and it's insightful to claim this. Software should be well-written before you start charging for it. Period.
OpenBSD has only had 2 remote security holes in several dozen releases, in over 15 years. Why is it acceptable that something you pay for has had thousands more every release?
... NOT. All the fuss about zero day exploits and the only people who ever use them are the ones who find them and the engineers who plug the holes. No big take-down of masses of people, no crippled companies, no nothing.
Next time try targetting 127.0.0.1 - it's a far easier target.
Please consider this account deleted, I just can't be bothered with the spam anymore.
Like any piece of software, it will take a while before it is provably secure.
Provably secure? *snicker*
Well, it's more than 01, less than 11, and still only a 2-bit binary integer.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Exactly. For example, I can prove that Windows 3.1 is secure on a modern network.
What's the value of information that you don't know?
You don't know much about VUPEN -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.
No it's not. Just because Windows 3.1 malware is not currently running rampant, it doesn't mean the old exploits like WinNuke (and others) aren't still available if someone wants to target you. In fact, if someone can exploit ANY application in Windows 3.1, they have system level access, as the old Windows versions prior to NT were not multi-user, and only had one security context.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
don't forget /q
The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.
Software? I design cryptographic hardware for a living you insensitive clod!
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Bull [cough] Shill [cough] Shit
The sad thing is they think anyone actually cares.
Even though I lack any surprise in this announcement, and would actually have been surprised if no 0-day had arisen within the first week after release, please kindly allow me to express, and excuse if it may sound a little childish, my first reaction:
lol
IE8: See IE7, they never fixed the bug.
What bug, specifically, is this? Or have you just screwed up your IE and you're intent on blaming it on Microsoft?
systemd is Roko's Basilisk.
How do you screw up a browser unless you're changing it's code?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
I am a Linux user because of this exchange:
Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"
BSD user: FTP is insecure because password are plain text.
LInux user: You can run proftp for a simple open ftp with just one directory in a chroot jail so it is perfectly safe and accessible.
Basic openbsd is plain useless and out of date, start updating and adding stuff you need, and they stop counting security holes. If openbsd was a car, it would be the safest car in the world. It would also never ever have moved out of the garage.
In the real world you need to trade security for functionality. Let BSD guy loose on your systems and nobody can hack into them, and neither can anyone use them. You get the perfectly secure system and all your developers and users leave you because the system is unusable. The BSD admin will not only insist on 20 character passwords that are a mix of characters, numbers, symbols and arcane spells but insist usernames follow a similar pattern. And for mobile access as well. 4 digit unlock on company phone? NOOOO! INSECURE!!!! 12 char password atleast and mix of caps, characters, reading symbols and dna sample!
And then they wonder why everyone spends all their time working around the system. Was so bad in one company that all work was getting done on laptops over mobile connections because getting things done through channels just took to fucking long.
Next BSD release will be called concrete, you poor concrete over your computer and it will be very secure!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I expect those fanboys to run Windows 8s = Windows Aids and search for bugs and vulnerabilities. Actually, I never had a virus with Linux, and my drupal server was only once compromised. The reason I like windows is that third party apps just work, the reason why I use Linux is the shell and multiple desktops. I mostly need Firefox and Thunderbird and Irssi, that is all.
It took me nearly a day to get a "Active Directory Users and Computers" icon on my Windows 8 Pro VM.
- First I have to download RSAT.
- It errors with random hex-code when run.
- Much googling (and no help in the MS KB) later, I find out it doesn't like being on a mapped shared drive (which is what VMWare uses for it's shared drive with the host).
- Copy to C:\, run it.
- It installs without error, but nothing happens after (nothing in Windows Features related to remote admin tools, no new icons).
- Much googling (and no help in the MS KB) later, it turns out I don't have the en_US language installed and it won't work without it (despite the computer being en_GB!) but will just die silently.
- Go to install language, get empty language lists.
- Think they must be on the CD, so point it at the original CD image. Nope. Nothing useful.
- Much googling (and no help in the MS KB) later, it turns out that because I'd disabled Windows Search, it totally stops the list of languages populating.
- Enabled Windows Search.
- Installed language.
- Still no joy.
- Much googling (and no help in the MS KB) later, it turns out that because I have disabled Automatic Updates, it won't actually download the language pack (or error, or tell you that, or anything).
- Re-enabled, got the language pack (150Mb!)
- Reinstalled the MSU
- Finally get "Users and Computers".
It doesn't shock me that in that mess of code there might be a security feature or two that's lax. I mean, seriously? Half the things had no error code or even message to say they weren't going to work or why and those that did provided zero useful information.
- You can't install an MSU from a network-mapped drive (even if it appears as a mapped drive Z:!)
- You can't install RSAT with only en_GB enabled.
- You can't even see the languages available without Windows Search enabled (WTF?)
- You can't install a language without Automatic Updates enabled (Again, WTF?)
- You have to know all this to get Users & Computers working (which, if I remember rightly, is installed by default on most "Pro" versions of Windows or at worst was an Add/Remove Windows Feature kind of deal from the initial install disk).
I'm not surprised, with that amount of cross-interaction between COMPLETELY unrelated components, complete lack of user feedback, and random interactions, that there's a few security problems cropping up.
And that's not even the worst experience I've had with a clean Windows 8 VM image from an official Windows 8 ISO with a proper Windows 8 Pro Product Key. I actually managed to BSOD the VM within hours of install, not by even doing anything remotely interesting.
How do you assess if it's well written?
From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.
What would you suggest they do to reach your level of 'well written'?
Out of the box with the default installation.
Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target) and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd). OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.
In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to. SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.
OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.
If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.
Change is certain; progress is not obligatory.
How do you assess if it's well written?
From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.
What would you suggest they do to reach your level of 'well written'?
It's not too hard to determine when it's "well written": it's basically when the default install does not have security holes. ie: not like windows.
OpenBSD has only had 2 remote security holes in several dozen releases
Out of the box with the default installation.
Windows has security holes out-of-the-box with all the defaults set. No system is safe if a user reconfigures it. What OS can protect me from a user who sets his password to his birthdate?
Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user
The installer quite clearly offers a choice to create a non-root account
, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target)
This is only enabled if you skipped the step in whice you can create a non-root user. If you only have root, then it's quite obvious you'll want to log in as root
and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd).
[citation needed]
OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.
In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to.
OpenBSD does this and chroots several daemons as well.
In any case, this is a fine example of yet another OS that cares about security to some degree, but does not defend window's stance in any way.
SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.
Again, OpenBSD only suggests you don't disable remote root logins if you skipped the step where you create another user. For quite obvious reasons.
OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.
If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.
1) Install XP on a PC.
2) Plug an internet cable.
3) Sit back.
4) You now have an infected machine.
Windows 8 hasn't reached this point yet, but it's just a matter of time, as with every other release.
Security holes! In Windows!
It's just like every other release from Microsoft then, bug ridden and insecure.
You don't know much about VUPEN -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.
If low-lives can find these zero days how come MS with their massive profits and massive install base can't find them first and fix them?
Maybe because fixing Windows is like polishing a turd.
802.1X is an essential security feature?!
How did we survive before EAPoL?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Screwing around with the registry. The wrong registry entry in the right place will cause any program to go "boom".
Free Martian Whores!
Yeah tell me about it. The "I don't agree" = mod down. This place used to be worth hanging out on for actual discussion rather than anything critical of any sort of open source being modded down into oblivion.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Actually, these days they are. Firewall on by default on all versions. UAC on by default on all versions. Server core install suggested during server installation. IE secure mode on by default. Install X11 and a desktop environment on OpenBSD, compare to a client version of Windows and we're somewhere near being in the ballpark as far as a valid comparison goes.
If you want to compare without X11 and a desktop environment, then compare to Windows server core install.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It was a conversation point, jackass. Given there were holes you could drive a truck through in the Windows 9x TCP/IP stack, I would bet my house that there were also similar sized holes in the 16 bit Windows 3.1 TCP/IP stack shipped with the IEAK for 16 bit IE, and also trumpet winsock of the day as well.
And as per my original post - ANY exploit in ANY software for Windows 3.1 would result in full privileges, as there was no multi-user security model.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.