For sale: Windows 8 zero-day vulnerability
 

Hi,

Now we can see some insight to MS Win/8. Did not take long to find a security issue(s) for Microsoft's supposedly 'Most secure' OS ever.

For sale: Windows 8 zero-day vulnerability I am sure it won't be long before this is verified and published.

Good read!

Come on, let's be fair. Those people are searching for exploits to sell them. Of course they are now concentrating on compromising a new and nonetheless soon to be very widely used OS. If Ubuntu would be as widely used as Windows (and that is what they want, see Bug #1) I doubt it would last longer to the attacks of those people than Windows. A whole army of crackers is torturing that OS, and of course they will find exploits.

Member Response
 

Hi,

Very fair for a company to make a profit.
Good enterprise to gain something from someone that is out to make a profit too. I see no fault in a company that finds vulnerabilities and sells to reputable clients. Just like someone who develops for OS to know security issues or vulnerabilities thus protecting their application(s).

Microsoft released the OS with Win/8 to be the safest ever, so if someone finds a exploit or weakness then by all means provide it to the highest bidder. Not sure if Microsoft has ever purchased from Vupen.

Well, it's kinda unethical to try to sell a ZDE, but it also would be a waste of anybody's money to buy them. ZDE's are widely publicized as soon as they are found. The odds of someone actually having a secret that no one else has are zero. (If they did, the first guy who bought it would probably blab.)

But also: ZDE's do exist, and probably always will, as long as human-beings are the ones who design computer software. Every operating system ever written has them; including of course Linux. It really isn't a slight on the software-engineers at Microsoft, nor particularly upon Win8, to assert that they exist. They do. They always do.

I am not sure I would agree that windows 8 will be the most popular OS. I think many people are going to stick with windows 7. I played around with windows 8 in a local computer store here for a little while and honestly I don't see why I would bother to upgrade. After you get past the horrible tablet interface and get to the real desktop it looks, feels, and acts like windows 7. I know I am not your average consumer, but I think most people are going to see this as well, and I know for a fact that many if not almost all companies wont touch windows 8 since it cause a massive loss in productivity due to user training. Lets be honest anyone who has worked at a helpdesk knows that most business users are not the best with technology. ;)

This does seem to have got a bit of publicity, including here.

Sometimes controversial?

Or, from the Computerworld article

Hmm, everyone would be better placed to defend themselves against hackers if Vupen disclosed back to Microsoft and Microsoft fixed in a timely manner. So that seems a little disingenuous, at best. Although, 'Microsoft' and 'timely' is problematic, too. But that's not the way that Vupen make money.

Here's the issue; normally security researchers do something approximating to full disclosure that allows the organisation which authors the software to correct the problem(s), preferably before anyone actually exploits the vulnerability. For this lot's intellectual property to be worth anything, they need to avoid the standard 'disclose and let fix' cycle for as long as possible, in order to monetise their discovery.

I tried to come up with an analogy for this behaviour, and the closest I came was 'I know the name of the serial killer, but I'm going to keep the details secret for now, because that way I get to blackmail them for longer' (not an exact analogy, but...). I don't think that you can regard this as entirely in the interests of humanity, but, as is said of a number of professions, they do have to make money, somehow. Anyhow, in private conversation, I'm leaning towards a slightly stronger expression than 'kinda unethical'.

It's also a way to inflate your own reputation among people foolish enough to buy from you. An independent review of the supposed vulnerability might quickly disclose snake-oil, and/or conclude that they're simply taking public knowledge and reselling it to suckers. If they don't tell you, not only don't you know, but you will tend to inflate your perception of them because, "I've got a secret, secret, secret ..." People love to think that they're "in on something," and I'm quite sure they'll buy it.

Member Response
 

Hi,

I would think if your 'secret(s)' are not valid then sooner than later customers would stop paying for your service. The company had better be reputable and able to continue providing a valid service thus return customers.

Security, be it personal or corporate is important or their service would never be used. Maybe for paranoia driven companies or people but for valid user concerns to have a secure system environment like MS Windows.

In legitimate security circles, there are no secrets-through-obscurity. You just got conned into paying for "a secret" that might not be one at all, and whose only legitimate purpose in life is breaking-and-entering anyway.