VUPEN Researchers Say They Have Zero-Day Windows 8 Exploit

Controversial bug hunters and exploit sellers VUPEN claimed to have cracked the low-level security enhancements featured in Windows 8, Microsoft’s latest operating system.

Controversial bug hunters and exploit sellers VUPEN claimed to have cracked the low-level security enhancements featured in Windows 8, Microsoft’s latest operating system.

VUPEN CEO and head of research Chaouki Bekrar sent out a pair of ominous Tweets yesterday claiming to have developed the first zero-day exploit for Windows 8 and Internet Explorer 10, both released Oct. 26. Bekrar hints the exploit is a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled.

“We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Bekrar wrote.

Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) were introduced in Windows Vista and, respectively, help randomize address space in order to curb memory-based attacks, and keep applications from executing data in certain specific memory locations. Return-oriented programming (ROP) techniques, meanwhile, help attackers bypass both of these protections. AntiROP tools were the focus of Microsoft’s Blue Hat Prize contest; researcher Vasillis Pappas won $200,000 for his kBouncer ROP mitigation technology which uses the Windows kernel to enforce process restrictions and prevent ROP from running.

Windows 8 features several hardware-level security updates, in addition to Secure Boot which uses UEFI rather than a traditional BIOS and loads the Early Launch Antimalware (ELAM) driver. Microsoft said the driver boots before other startup drivers, examines those drivers for infection, and enables the kernel to decide whether to initialize them. ELAM, Microsoft said, launches before third-party antimalware protection and detects malware during the boot process.

There are other root-level security features in Windows 8 that burrow deeper into the operating system than before. Some of these include updated memory managers, the Windows Heap Manager and the Windows Kernel Pool Allocator. Windows Heap Manager reduces the effectiveness of buffer overflow injection attacks by randomizing address space, while the Kernel Pool Allocator protects this resource which dynamically allocates memory to applications. All of these would cut down significantly an attacker’s ability to run code at the root level on a Windows 8 machine, Microsoft said.

Microsoft also introduced a new sandbox in Windows 8 called AppContainer. All of the new Metro applications run in AppContainers.

All of this was built on top of existing security features such as the TPM chip, self-encrypting drives (SED), ASLR and DEP.

Boot-level attacks are on the rise according to security experts. Attackers have found great success with rootkits that infect a Windows machine’s BIOS or Master Boot Record, giving them persistent and often undetected access to a machine. Boot-level attacks can also lead to further malware infections where an attacker can harvest credentials and use an infected computer as a pivot point for attacks on other machines in a network.

“One reason protecting against boot-level attacks is so important is that if your BIOS or pre-boot environment is infected, no matter what you do to clean it up, things that get that low into pre-boot can re-infect you at any time and nothing the OS level does to clean that up can protect you,” said Ari Singer, chairman of the Trusted Computing Group’s TPM Working Group. “You will be re-infected every single time. It’s a way for an attacker to get a persistent attack on machine. Typically, this is very difficult to detect.”

Suggested articles

Discussion

  • Anonymous on

    While I think it is good thing that Vupen were able to breach the security of Windows 8 and IE 10, I hope that they will do the right thing and responsibly disclose this exploit to Microsoft. If they try to sell it for money like they did with Google Chrome flaws to Google, it is bad for everyone since every Windows 8 user could benefit from protection against this kind of exploit and Microsoft is unlikely to buy from them.

    On a semi-related note, I find it almost childish that there is always a race between exploit writers/security researchers to be first to find a flaw in a new OS in order to score cheap brownie points and notoriety for a short time. We all know that no OS will ever be perfect when it comes to security. Again my only hope is that Vupen responsibly disclose this flaw to Microsoft, otherwise they are doing more harm than good.

    I don’t mean any offense to exploit writers/security researchers with my comments above. I am grateful for the work that they do.

  • Tinman57 on

    DEP was introduced in XP, not Vista.....

  • machinist on

    I totally agree with Tinman57, any flaws in Windows8 or any other system that have been found by an indipendant source, should be submitted to Microsoft or any other authority.

    It is the responsibility of decent Hackers to submit any flaws found in Computer systems, but i admit there are a lot of criminal Hackers out there, and the sooner they are caught and locked up, or taught the error of their ways, and maybe employed by a security firm the better.

    The business world & private computing now run the economies of the world, and need all the help they can get. The world is now a lot more complicated for everybody born today!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.