Vupen

It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.

The National Security Agency is considered by some to have the best roster of hackers in the world; but sometimes even the best need some help. That may well be the reason the NSA became a customer of French hacking-tools vendor Vupen in 2012.

The spying agency, which has been scrutinized of late for its top secret surveillance programs revealed by Edward Snowden, bought a one-year subscription to Vupen's Binary Analysis and Exploits service in 2012, as revealed on Tuesday by documents obtained by MuckRock through a Freedom of Information Act request.

VUPEN says in a Twitter post that they have found a way around the security features for both Windows 8 and Internet Explorer 10. It is now selling that information to any companies or governments willing to pay lots of money to protect their Windows 8 systems.

VUPEN Security has detailed how to exploit a critical memory corruption vulnerability in Xen hypervisors to break out of virtual machines and execute code.

Microsoft is facing pressure to patch a zero-day threat that is being exploited in the wild, as vulnerability seller VUPEN has found a way to make the exploit work across all Windows platforms.

Attack code for the CVE-2012-1889 flaw, which affects Microsoft XML component found in Internet Explorer, was published earlier this month. The vulnerability could allow remote code execution if a user visits a specially-crafted webpage on Internet Explorer.