Some companies, and individuals, find and disclose vulnerabilities — may those be on websites, operating systems, programs, whatever — for the betterment of society. Others do it for a “finder’s fee”. VUPEN does it so they can sell the secrets to whomever wants them.
VUPEN is a security research firm that works a bit differently than other firms. Like traditional digital security firms, VUPEN does research on vulnerabilities on popular software packages (e.g. Windows). Unlike other firms, VUPEN does not disclose the vulnerabilities it finds. Rather, VUPEN offers the details of the vulnerabilities it finds to whomever is willing to pay the price. Yes, that is what it sounds like — VUPEN sells vulnerabilities to the high bidders (so to speak).
Of course the idea behind VUPEN is to make parties pay to better protect themselves; ideally the exploit secrets VUPEN sell are used by the buyers to protect themselves against the vulnerabilities. In reality, however, it isn’t hard to imagine VUPEN-discovered vulnerabilities being bought for use in less legitimate activities, including but not limited to malware creation.
We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations. Congrats to our mitigation mitigator @n_joly
-VUPEN CEO Chaouki Bekrar on Twitter
Of course it is impossible to confirm VUPEN’s claim without shelling out the money to grab the details about the exploit(s) they have found in Microsoft’s latest creations. However, I doubt VUPEN would risk its reputation making false claims. Plus exploits are nothing new in the tech industry, and it was only a matter of time before somebody hacked Windows 8. Why not it be VUPEN, a company that has great financial motive for doing so?
Since Microsoft has not been informed about the vulnerability by VUPEN, Microsoft obviously cannot patch it. According to Microsoft’s spokeperson:
We saw the tweet, but further details have not been shared with us. We continue to encourage researcher to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection.
Uh-oh. A vulnerability in Windows 8 that will not be patched? Another reason to not buy Windows 8, right? Hang on there, cowboy.
It should be noted that the Windows 8 and IE 10 vulnerability VUPEN claims to have found is unlikely to be exploited in the wild. This is because VUPEN utilized previously discovered but undisclosed vulnerabilities to come to this new vulnerability. So unless some scumbag purchases the vulnerability from VUPEN and releases it in the wild or someone figures out the vulnerability on their own (which is unlikely without them having access to the previous vulnerabilities), there is little risk to the average Joe from this particular vulnerability. Still, it has ramifications for Microsoft — VUPEN discovered the vulnerability only a week after the release of Windows 8, and Microsoft has been advertising increased security in Windows 8 over previous Windows.
It’s definitely an interesting business VUPEN are in. Ideally every company should report exploits directly to Microsoft so they can work together to patch tit, but the reality is VUPEN makes money by not disclosing. Business is business, after all. Hopefully for Windows 8 users, this exploit doesn’t get into the wrong hands.