Researchers at VUPEN Security say they have uncovered multiple vulnerabilities in Windows and Internet Explorer 10 that can be combined to bypass security features in Windows 8.
According to VUPEN CEO Chaouki Bekrar, exploiting the vulnerabilities result in remote code execution without any user interaction beyond visiting a webpage.
“As for any new technology, we have been working for weeks on evaluating the security of Windows 8 before its public release,” he said. “This OS [operating system] is definitely the most secure Microsoft operating system so far. It includes impressive protections such as HiASLR (High Entropy), which significantly raises the difficulty of exploitation and and a hardened IE10 code and more secure sandbox.”
However, security researchers were still able to chain multiple vulnerabilities to fully bypass Windows’ address space layout randomization (ASLR), data execution prevention (DEP) and anti-return oriented programming (anti-ROP) protections. The company also was able to break out of the new IE 10 sandbox known as Protected Mode, he said.
Though largely mum on the details, he described the bugs as being mostly memory corruption issues in various levels of the operating system and browser.
“We follow a commercial vulnerability disclosure policy and we share all our research with customers to help them evaluate risks and protect their infrastructures against sophisticated attacks,” he said. “If a vendor is under contract with VUPEN he will receive the information as part of his subscription.”
Windows 8 became generally available Oct. 26, and includes a number of security enhancements over previous versions.
“The most obvious, and controversial, change in Windows 8 security is the new Secure Boot system,” blogged Chester Wisniewski, senior security advisor at Sophos. “New PCs that ship with Windows 8 will be required to use a UEFI BIOS, which is the first component required for securely booting Windows. The UEFI BIOS begins the loading of the operating system and ensures all of the components are signed with a digital certificate belonging to Microsoft. This should go a long way towards disrupting rootkits and boot kits that depend upon the ability to load before Windows and your anti-virus software.”
Microsoft also made minor improvements to the ASLR and DEP protections used to defend Windows and its applications against buffer overflows and other vulnerabilities, he added.
In a statement, David Forstrom, director of Microsoft Trustworthy Computing, said the company saw VUPEN’s tweet about their findings, but that further details have not been shared with them.
“We continue to encourage researchers to participate in Microsoft’s Coordinated Vulnerability Disclosure program to help ensure our customers’ protection,” he said.
*This story was updated with commentary from Microsoft.