November 29, 2014

Security researchers say they already have zero-day exploits for Windows 8

(LiveHacking.Com) – Windows 8 has been available for a few days now and the security research company VUPEN, who specialize in finding security exploits in software and then selling them to government agencies, claims it already has working zero-day exploits for Microsoft’s new operating system.

Before Windows 8 was released the company promised that it would be ready to release exploits to its customers on the launch day: “Windows 8 will be officially released by MS on Oct 26th, we’ll release to customers the 1st exploit for Win8 the same day.” Then a few days after the launch, Chaouki Bekrar, the CEO & Head of Research at VUPEN, tweeted: “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations.” You might need help decoding that a bit, 0Ds means zero-day exploits and pwn means to hack  in order to “own” it.

This means that VUPEN has confirmed that it has working zero-day exploits for Windows 8 using IE10 as one of the attack vectors.

According to Forbes, the Windows 8 attack will be included in the company’s Threat Protection Program, the defensive aspect of VUPEN’s business, it is’t clear if the exploits will also be sold as an offensive measure, however he does say that their customers can use the exploits for ” for national security purposes”.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar wrote to Andy Greenberg.

The fact that VUPEN has working exploits for Windows 8 is quite interesting. Windows 8 comes with a pre-installed anti-malware program known as Windows Defender and also has a revamped version of  its Address Space Layout Randomization feature. ASLR rearranges the memory layout in such a way that  a software exploit shouldn’t be easily able to take advantage of a buffer overflow or heap corruption. Also IE10 comes with sandboxing techniques.

Google Chrome Browser First to Fall at Pwn2Own 2012

(LiveHacking.Com) – Google spends a lot of time, effort and money on making Chrome as secure as possible. However software can never been 100% secure. This was proved during this year’s CanSecWest Pwn2Own hacker contest where Chrome was the first browser to fall to the hackers.

A team of French hackers from VUPEN, which sells vulnerabilities and exploits to government customers, took down Chrome due to an impressive set of exploits. VUPEN co-founder and head of research Chaouki Bekrar and his team attacked Chrome via a pair of zero-day vulnerabilities to take complete control of a 64-bit Windows 7 PC with all the latest Microsoft patches applied. The team worked for six weeks prior to the competition to find the vulnerabilities and write the exploits.

In an interview, Bekrar said “We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

According to Bekrar, who declined to say if any of the exploits targeted third-party code (like Adobe Flash), the exploit used a use-after-free vulnerability in the default installation of Chrome. To launch the hack the team created a web page booby-trapped with the exploit code. Once the target page was opened in Chrome, the exploit ran and opened the Calculator (calc.exe) and so demonstrated that the exploit bypassed Chrome’s sandbox and had direct access to Windows.

The most controversial aspect of all this is that VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape but intends to keep it private for its customers. This goes against the whole ethos of security research and full disclosure.

VUPEN isn’t only hacking Chrome, the company says it also has exploits for Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.

VUPEN Finds Zero Day Vulnerability in Chrome and Bypass Sandbox and Other Security Features

VUPEN, a security research company which works closely with Government institutions, has discovered a zero day vulnerability in Google’s Chrome web browser that allows a payload to be downloaded and executed on the host computer just by visiting a specially crafted web page.

As a proof of concept VUPEN has posted a video which shows how the Windows calculator accessory is launched after a web page is opened. Of course, Windows calculator is harmless, but any malware could be downloaded and installed at this point.

This is a complicated hack and has managed to bypass Chrome’s sandbox technology which isolates Chrome from the underlying operating system and is designed to make it difficult for a hacker to execute arbitrary code on the victim’s computer. The sandbox technology has served Chrome well, until now, as it has escaped undefeated in the last three Pwn2Own hacking contests.

This new attack also circumvented Windows 7’s address space layout randomization (ASLR) and data execution prevention (DEP) technologies, both of which are designed to hinder hackers.

VUPEN have not publicly disclosed the nature of the zero day vulnerability, but according to its blog the details will be shared exclusively with VUPEN’s Government customers as part of its vulnerability research services.

Critical Vulnerability in Internet Explorer

VUPEN, an IT security research company has reported a critical vulnerability in Internet Explorer that has been known for about two weeks.

security news at livehacking.com

With reference to VUPEN security advisory, a vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3. Microsoft has yet to respond and it is not know if or when a patch will be released.

Download Metasploit Framework exploit Code for this vulnerability here.