Vupen claims first Windows 8 security flaw – but won't say what it is

By Graeme Burton
05 Nov 2012 View Comments
the windows 8 start screen with apps and live tiles

Vupen, the controversial security company that specialises in finding vulnerabilities in commercial software, has claimed a zero-day vulnerability in Windows 8, the new operating system from Microsoft that was launched just one week ago.

The vulnerability was announced by the company on Twitter, with the following message:

Further reading

"Our first 0-day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers."

Vupen's business model, on the one hand, involves selling details about security flaws to corporate subscribers; while on the other, it also sells the details of those flaws to vendors so that they can patch their software.

Microsoft, though, prefers security researchers to participate in its own Coordinated Vulnerability Disclosure programme, which requires researchers not to publicly disclose security flaws that they have found until Microsoft has a patch ready.

If true, it would mean that Vupen has already defeated a number of security mechanisms built into Windows 8, intended to banish Microsoft's reputation for designing insecure software. These protections include Secure Boot, which only allows pre-approved applications to load during startup, picture password login, and built-in anti-virus protection.

However, the number of PCs currently running Windows 8 is miniscule. Microsoft claims that some four million copies were sold in the first few days following the launch. That number compares with some 670 million PCs running Windows 7.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

35 %
31 %
14 %
20 %