French security company Vupen claims to have defeated Windows 8 security just days after the official launch of the operating system, and has offered a zero-day exploit for Windows 8 and Internet Explorer 10 (IE10) for sale.
Vupen offers a number of services, including government-grade exploits for intelligence-service hackers and law enforcement.
The zero-day overcomes security measures such as address space layout randomisation (ASLR), and data execution protection (DEP) Vupen said in a Tweet on Wednesday.
"Our first zero-day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8", said the Twitter message.
Address space layout randomisation helps curb memory-based attacks, and DEP can mitigate applications executing data in certain memory locations, security vendor Kaspersky Lab said in a blog post on Thursday. Return-oriented programming (ROP) techniques help attackers bypass ASLR and DEP, said Kaspersky Lab, in reference to Vupen's anti-ROP bypass claim.
Vupen used a number of zero-days to bypass the Windows 8 and Internet Explorer 10 threat mitigations, Vupen chief executive Chaouki Bekrar said in a Tweet on Wednesday.
"We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations. Congrats to our mitigation mitigator @n_joly", said Bekrar.
Windows 8 launched on Thursday 25 October with a number of low-level security features. For example, Secure Boot uses unified extensible firmware interface (UEFI) instead of BIOS, and early launch anti-malware (ELAM) is a driver that examines other drivers for infection. Kaspersky Lab said that by claiming a successful zero-day, Vupen also claimed to have cracked these security features.
Microsoft had not responded to a request for comment at the time of writing.