Vupen, the controversial security company that specialises in finding vulnerabilities in commercial software, has claimed a zero-day vulnerability in Windows 8, the new operating system from Microsoft that was launched just one week ago.
The vulnerability was announced by the company on Twitter, with the following message:
"Our first 0-day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers."
Vupen's business model, on the one hand, involves selling details about security flaws to corporate subscribers; while on the other, it also sells the details of those flaws to vendors so that they can patch their software.
Microsoft, though, prefers security researchers to participate in its own Coordinated Vulnerability Disclosure programme, which requires researchers not to publicly disclose security flaws that they have found until Microsoft has a patch ready.
If true, it would mean that Vupen has already defeated a number of security mechanisms built into Windows 8, intended to banish Microsoft's reputation for designing insecure software. These protections include Secure Boot, which only allows pre-approved applications to load during startup, picture password login, and built-in anti-virus protection.
However, the number of PCs currently running Windows 8 is miniscule. Microsoft claims that some four million copies were sold in the first few days following the launch. That number compares with some 670 million PCs running Windows 7.