August 27, 2014

Security researchers say they already have zero-day exploits for Windows 8

(LiveHacking.Com) – Windows 8 has been available for a few days now and the security research company VUPEN, who specialize in finding security exploits in software and then selling them to government agencies, claims it already has working zero-day exploits for Microsoft’s new operating system.

Before Windows 8 was released the company promised that it would be ready to release exploits to its customers on the launch day: “Windows 8 will be officially released by MS on Oct 26th, we’ll release to customers the 1st exploit for Win8 the same day.” Then a few days after the launch, Chaouki Bekrar, the CEO & Head of Research at VUPEN, tweeted: “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations.” You might need help decoding that a bit, 0Ds means zero-day exploits and pwn means to hack  in order to “own” it.

This means that VUPEN has confirmed that it has working zero-day exploits for Windows 8 using IE10 as one of the attack vectors.

According to Forbes, the Windows 8 attack will be included in the company’s Threat Protection Program, the defensive aspect of VUPEN’s business, it is’t clear if the exploits will also be sold as an offensive measure, however he does say that their customers can use the exploits for ” for national security purposes”.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar wrote to Andy Greenberg.

The fact that VUPEN has working exploits for Windows 8 is quite interesting. Windows 8 comes with a pre-installed anti-malware program known as Windows Defender and also has a revamped version of  its Address Space Layout Randomization feature. ASLR rearranges the memory layout in such a way that  a software exploit shouldn’t be easily able to take advantage of a buffer overflow or heap corruption. Also IE10 comes with sandboxing techniques.

Microsoft Rethinking How Often A Windows 8 Machine Will Need to Restart to Apply Security Patches

(LiveHacking.Com) - Microsoft will change the way Windows 8 forces a system restart when applying security patches to minimine downtime and limit disruption and inconvenience. According to a new post on the  Microsoft’s Building Windows 8 blog, the Windows Update service will be modified for Windows 8.

When it comes to Windows Update, one of the most discussed topics is the disruptiveness of restarts in the course of automatic updating. And for good reason—restarts can interrupt you right in the middle of something important.

For Windows 8 Microsoft wants to find the best way to quickly update the PC while not being intrusive to the user. To this end it proposes three principles:

  • The automatic updating experience is not intrusive to users but keeps them aware of critical actions
  • Minimize restarts and make them more predictable
  • Continue to keep the PC and the ecosystem up-to-date and secure in a timely manner
What this means practically is that:
  • Windows Update will consolidate all the restarts in a month, synchronizing with the monthly security release (meaning Patch Tuesday).
  • Windows Update notifies you of any upcoming automatic restart.
  • Windows Update will delay the automatic restart if there is potential of losing user data.
What this means is that it does not matter when updates that require restarts are released in a month, as these restarts will be delayed till Patch Tuesday. Therefore there will be just one forced restart per month.
There is however one exception, if Microsoft issue a critical security update to fix a worm-like vulnerability then Windows Updates will download, install, and restart automatically.