Despite Microsoft’s added security in Windows 8, Vupen, a French security firm, claims it has already found a vulnerability unknown to Microsoft. The attack comes via security holes in Internet Explorer 10 and can be used to take control of a computer over the internet.
Exploits are nothing new to most people, but the news has shed light on an underbelly of the security industry. Vupen will add an update to their own defensive software, but has yet to release details of the exploit to Microsoft. The reason for this withholding can be found on the other side of their business – offensive security.
Vupen is known for their relationship with the government intelligence industry, selling exploits to government intelligence and law enforcement agencies for surveillance. Most people are familiar with the practice of researchers that discover exploits sharing them with developers to help improve the security of their product – this is where a large number of patches and security updates come from.
The flip side of that coin is what is generally referred to as Offensive Security – researchers that keep their exploits secret, and sell those secrets for a massive profit to parties that plan on using the exploits. Vupen is unique in that they are part of a small list of known firms that offer this service only to government entities.