JMH
Emeritus, Contributor
- Apr 2, 2012
- 7,197
It's not exactly the type of advertisement most people would understand.
For sale: "Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed)." It's part of a recent message on Twitter from Vupen, a French company that specializes in finding vulnerabilities in widely used software from companies such as Microsoft, Adobe, Apple and Oracle.
Vupen occupies a grayish area of computer security research, selling vulnerabilities to vetted parties in governments and companies but not sharing the details with affected software vendors. The company advocates that its information helps organizations defend themselves from hackers, and in some cases, play offense as well.
Vupen has found a problem somewhere in Microsoft's new Windows 8 operating system and its Internet Explorer 10 browser. The flaw has not been publicly disclosed or fixed by the company yet.
Vupen's finding is one of the first issues for Windows 8, released last week, and Internet Explorer 10, although vulnerabilities have since been found in other third-party software that runs on the Windows 8.
Dave Forstrom, Microsoft's Trustworthy Computing director, said the company encourages researchers to participate in its Coordinated Vulnerability Disclosure program, which asks that people give it time to fix the software problem before publicly disclosing it.
"We saw the tweet, but further details have not been shared with us," Forstrom said in a statement.
http://www.itworld.com/endpoint-security/309929/whats-price-new-windows-8-zero-day-vulnerability