French Company That Sells Exploits To The NSA Sat On An Internet Explorer Vulnerability For Three Years

from the kicking-open-backdoors-and-charging-admission dept

Thanks to Snowden's leaks and a host of other information proceeding those, it's become clear that intelligence agencies -- despite their constant and loud "worrying" about cyberattacks -- are more than happy to make computers and the Internet itself less safe by purchasing, discovering and hoarding vulnerabilities. These are exploited to their fullest before being reported to the entities that can patch the holes. In the meantime, the NSA and others make use of security holes and vulnerabilities, leaving millions of members of the public exposed.

It may just be arrogance. Maybe these intelligence agencies believe they're the only ones with this access and, because they're ostensibly the "good guys," any collateral damage caused by unpatched vulnerabilities is acceptable. The other option is worse: they just don't care. Their "higher calling" -- the fight against terrorists and hackers -- is more important than the security of computer users around the world.

VUPEN, a French company that sells exploits to the NSA (as well as intelligence and law enforcement agencies around the world) recently capitalized on an Internet Explorer vulnerability it's been sitting on for over three years.

Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition.

The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14-035).

The flaw affected Internet Explorer browsers eight through eleven and allowed remote attackers to bypass the protected mode sandbox.

For three years, VUPEN held onto this, allowing the exploit of four straight Internet Explorer versions. IE may be losing its grasp on home users, but governments around the world still tend to opt for Microsoft's browser (along with its suite of productivity products). VUPEN finally notified Microsoft of this vulnerability en route to collecting $300,000 for this and other exploits its been hoarding. (Additional products affected include other widely-used programs like Adobe Flash and Adobe Reader.)

There can be little doubt that VUPEN turned out these vulnerabilities to whatever intelligence/law enforcement agency would have them during the last three years. Informing Microsoft of this flaw at the point of discovery just isn't a great way to make money. IE users were left unprotected against anyone who wished to exploit the same hole the security contractor had slapped a price tag on.

VUPEN's spin on this bug hoard/$300,000 windfall conveniently leaves out the fact that it sat on these exploits for extended periods of time.

In March 2014, VUPEN has once again won the 1st place at the Pwn2Own 2014 security competition by creating and showing zero-day exploits for Google Chrome, Internet Explorer 11, Adobe Reader XI, Adobe Flash, and Mozilla Firefox. The exploits have fully bypassed all Windows 8.1 security protections and exploit mitigation in place, and all sandboxes. VUPEN has reported all the discovered zero-day vulnerabilities to the affected vendors to allow them fix the flaws and protect users from attacks.

The word "creating" implies it discovered these holes during the conference and immediately turned them over to the vendors. While it's true that the vendors can now "fix the flaws," the latter half of that sentence ("protect users from attacks") is only true going forward. There's no telling how many attacks occurred over the past months and years while VUPEN hawked its vulnerability stash.

But that's not even the most disingenuous part of VUPEN's pitches. This is:


If you can't read the text, it says:

Do not wait 6 to 9 months for vendor patches to protect your infrastructures and assets from critical vulnerabilities.

So, VUPEN will "protect" your private company from exploits it knows about but won't pass on to vendors until it's managed to sell enough protection plans. Your company wouldn't need to "wait 6 to 9 months" for vendors to patch products if VUPEN and others would turn these over to them sooner. But that's not part of the business plan. There's nothing wrong with a company trying to make money, but hoarding exploits and selling protection against them seems to run very close to extortion. It's like selling home security while running a gang of thieves on the side.

Filed Under: hacking contest, internet explorer, prize money, pwn2own, security holes, vulnerability
Companies: microsoft, vupen

South Korea Still Paying The Price For Embracing Internet Explorer A Decade Ago

from the no-escape dept

The problems of monopolies arising through network effects, and the negative effects of the lock-in that results, are familiar enough. But it's rare to come across an entire nation suffering the consequences of both quite so clearly as South Korea, which finds itself in this situation thanks to a really unfortunate decision made by its government some years back:

At the end of the 1990s, Korea developed its own encryption technology, SEED, with the aim of securing e-commerce. Users must supply a digital certificate, protected by a personal password, for any online transaction in order to prove their identity. For Web sites to be able to verify the certificates, the technology requires users to install a Microsoft ActiveX plug-in.

The trouble is ActiveX is only supported on one platform: Microsoft Windows. As a result, when the South Korean government made the technology mandatory for online e-commerce, the entire South Korean Internet sector become enslaved to Internet Explorer:

It forced consumers to use Internet Explorer because it was the only browser ActiveX plug-ins were compatible with. By default, Web developers optimized not only banking and shopping Web sites for Internet Explorer, but all Web sites. For developers, this just seemed logical. The result has been a decade-long monopoly in the Korean market, where virtually all Korean Web sites are optimized for Internet Explorer.

Eventually, the South Korean government noticed that it was totally out of step with the rest of the world in effectively forbidding important alternative technologies like iPhones or Android, and took steps to remedy the situation:

A bylaw was created that said government Web sites must accommodate at least three different Web browsers and in 2010 they withdrew the mandate governing the use of ActiveX plug-ins.

But there was a catch.

If a company wants to stop using ActiveX plug-ins, it has to use an alternative technology that offers the same level of insurance. To get approval to use such a technology, they have to get approval from a government appraisal committee. The committee was formed over a year ago and has yet to make a single approval.

So even though the possibility of using something other than ActiveX is there, in practice there are simply no other options for secure transactions. A choice taken a decade ago to standardize on one technology has locked an entire nation into that platform, and it's proving extremely hard to escape.

And it's not just the local coders that are suffering: businesses, too, are hamstrung when it comes to innovation. As Kim Kee-chang, founder of the OpenWeb organization dedicated to expanding Web accessibility in Korea, explained:

"If people are thinking of opening up some service ultimately connected to payment they really have no chance in Korea," Kim said. "They are stuck in the payment stage and even if they could make it in Korea, they'd have little hope in an international market."

It's a classic lock-in due to network effects, aided and abetted by a thoughtless government decision all those years ago. As South Korea falls further and further behind in this regard, trapped in its fossilized world of ActiveX, it may well come to be seen as warning to other governments to adopt true open standards, if they want to avoid a similar fate.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: activex, internet explorer, south korea, windows
Companies: microsoft

Microsoft Debated Privacy vs. Advertisers In Internet Explorer... And Advertisers Won

from the of-course-they-did dept

The Wall Street Journal has a story detailing how Microsoft developers had worked out a plan to add serious privacy capabilities to Internet Explorer 8, which would specifically be designed to try to block tracking efforts by advertisers. The default would recognize if a third-party service/cookie/script appeared on more than 10 visited websites and would then assume that was a tracking device of sorts. The idea was to make this the default and make it easy for users to control their privacy settings. However, when word filtered over to the side of Microsoft's business that sold advertising, folks there went ballistic and forced the IE team to change its plans:

Executives in Microsoft's new ad business were upset when the designers of Internet Explorer hatched the plan to block tracking activity, say people involved in the debate. At a meeting in the spring of 2008, Brian McAndrews, a Microsoft senior vice president who had been chief executive of aQuantive before Microsoft acquired it, complained to the browser planners. Their privacy plan, he argued, would disrupt the selling of Web ads by Microsoft and other companies, these people say.

The folks on the other side realized that people were quickly moving away from IE, and thought (probably correctly) that the way to attract users was to actually (what an idea!) fight for the users and what they wanted, such as by implementing strong privacy tools. After fighting it out back and forth in a series of meetings, the advertising folks won... and Internet Explorer will continue to lose users. Admittedly, other browsers don't offer such privacy features standard either -- and Google clearly has the same conflict of interest to deal with. However, these days, if you are concerned about privacy, using Firefox with NoScript, AdBlocker and various other privacy protection extensions can certainly help.

Filed Under: advertisers, browsers, internet explorer, privacy
Companies: microsoft

Google, Too, Chooses Lobbying Over Competing

from the is-that-so-googley? dept

Microsoft's increasing regulatory headache from the European Commission concerns its Internet Explorer browser that comes standard with Windows. We've said before that this investigation is prima facie silly given the vibrant and increasing competition in the browser market, but it looks like things are just going to get worse for Microsoft. First, it was Mozilla deciding to complain that Microsoft was creating an unhealthy browser market by bundling IE with Windows. Now, Google is jumping onto the bandwagon and arguing that Microsoft's policy limits competition and harms innovation.

This is primarily problematic because the browser market is anything but uncompetitive. Firefox has created what is widely considered a better product, and, wouldn't you know it, gained considerable market share around the world (as high as 30% in some regions). More recently, Google introduced its own browser, Chrome, that launched to accolades and much user adoption. By introducing regulators into the browser market, these companies will all be distracted from providing users with the best possible product.

But what's even more confounding is Google's involvement. Obviously the company desires control of most browsers so it can set the defaults in its favor, but it is increasingly obvious that Google should not be bringing regulatory attention to the Internet -- especially when it comes to antitrust questions. Although claims of Google's "monopoly" are as specious as Internet Explorer's, making noise about antitrust is likely to come back and bite Google, especially given the rising number of political enemies they have.

Filed Under: antitrust, browsers, bundling, eu, internet explorer, regulators
Companies: google, microsoft

Disappointing: Mozilla Siding With Bogus EU Antitrust Action Against Microsoft

from the just-go-out-and-compete dept

Last month, it seemed silly that EU regulators were pursuing Microsoft for antitrust violations in the browser market for bundling IE. It was clear that some of the initial complaints had come from Opera -- an also-ran in the browser market. However, it seemed silly because there is vibrant and growing competition in the marketplace. Firefox has continued to grow its market share, and in the past few years we've seen new entrants in the browser market from Apple and Google -- both of whom have established small, but significant footholds.

So, it's especially disappointing to read that the Mozilla Foundation appears to be siding with the regulators, complaining about Microsoft's actions. Obviously, Mozilla is competing with Microsoft in this space, so at a first pass it may seem in their best interests to lobby the EU to punish Microsoft. But it's disingenuous to say the least. Mozilla got where it did because it competed effectively. It built a better, more secure browser that many people made the choice to support over IE. In fact, Firefox's chief architect, apparently unaware of what his "bosses" were cooking up, seems to have recently contradicted the Mozilla Foundation's new position, where he admitted that he couldn't see how anyone with a straight face could claim that Microsoft's ability to bundle created a monopoly, noting that Firefox's success in growing marketshare showed that making yourself "demonstrably better" worked. Oops.

Filed Under: antitrust, browsers, bundling, eu, firefox, internet explorer, regulators
Companies: microsoft, mozilla

EU Regulators Can't Resist: Go After Microsoft For Antitrust Yet Again

from the punching-bag dept

Microsoft is becoming quite the antitrust punching bag over in Europe. After a years long fight concerning antitrust charges in Europe, Microsoft finally gave in and agreed to pay up. So, now the matter is over with, right? No, of course not. EU regulators are back at it, telling Microsoft that the company is probably violating antitrust laws by bundling Microsoft Internet Explorer with Windows. This seems like an odd issue to bring up now as there is increasing competition in the browser market. Firefox's marketshare has continued to climb. Google has entered the market with Chrome. Safari is gaining increasing life (in part due to the iPhone) and there are numerous other upstarts as well. The idea that Microsoft is somehow exerting undue influence on the browser market (a market that, for the most part, involves free software) seems rather odd. It seems to confirm the initial opinion that many had of the original antitrust lawsuit in the EU against Microsoft. It's more about a simple dislike for Microsoft than any actual antitrust violation.

Filed Under: antitrust, browsers, bundling, eu, internet explorer, regulators
Companies: microsoft

Are IE Users Really Jumping To Chrome?

from the seems-hard-to-believe dept

On the day that Google's Chrome browser launched I saw a few reports claiming that it already had jumped to somewhere between 2 and 3% of the market. Those numbers seemed ridiculously high for a first day launch of a new piece of software -- especially in a market where the majority of people still use the browser that came included with their operating system, and have not chosen to download and use an alternative like Firefox. While some more recent stats suggest both lower penetration, and that Chrome got a first day bump that seems to now be going away, another study suggests that most of the Chrome marketshare actually came from Internet Explorer users, rather than Firefox or Opera. In fact, the report found that all of the market share difference came from IE. That seems hard to believe. I would imagine that the folks most likely to download and use Chrome are those who are already comfortable with downloading and using an alternative browser. So, can anyone explain these results?

Filed Under: browsers, chrome, firefox, internet explorer, marketshare

The First Step Is For Microsoft To Admit It Has A Problem

from the hi,-my-name-is-Microsoft-and... dept

Ars Technica brings word of a pair of interesting efforts underway over at the Mozilla Project -- both aimed at improving Internet Explorer, whether Microsoft likes it or not.

You may have heard of the first one already: ScreamingMonkey has gotten some press. It aims to make the core of Firefox's next-generation Javascript engine (originally developed by Adobe) available in IE, providing advantages in speed and standards-compliance.

The other project is a bit more recent, and a bit more far-out: it's an IE plugin created by Mozilla developer Vladimir Vukićević that implements the HTML5 <canvas> element -- something that IE's never gotten around to supporting. Canvas allows Javascript to draw 2D graphics on the client-side. You may have stumbled across it in the form of one or another nifty in-browser FPS demo. It's a potentially powerful tool, but, as Ars notes, one that hasn't achieved widespread adoption by web developers due to IE's lack of support for it.

Both of these projects are impressive pieces of technology. But unfortunately both attempts to improve IE are unlikely to succeed in the ways that their authors would like -- and it's easy to see why. It's safe to say that IE users tend to be among the web's least technically sophisticated. These are exactly the people who can least reasonably be expected to install modular improvements to their browser's underlying technology. It's hard to imagine anyone finding it easier to do this than to simply download and begin using Firefox -- a task that's already clearly too complicated for many people. And that's to say nothing of the difficulty of getting the word out in the first place.

The right solution is the same as it's always been: for Microsoft to fix its abysmally noncompliant browser. They wouldn't even have to do it themselves! As Tom Raftery suggested some time ago, Microsoft could simply open-source IE. Superficially, this seems like a good fix: it's not as if IE is a profit center for Microsoft, and Apple has already shown the viability of the approach with its open source WebKit HTML rendering engine. A bold step like that could go a long way to bolstering what has thus far been a fairly anemic stab at open source on Redmond's part.

But of course it will never happen. As some of Raftery's commenters pointed out, IE probably couldn't be open sourced without revealing critical -- and valuable -- Windows code. More to the point, Microsoft wants a broken browser. Not supporting <canvas> means that no one will rely on it, which in turn means less competition for Microsoft's rich client library Silverlight -- created to solve the problem of missing <canvas>-like functionality (among other things). More broadly, a world of webapps that are perpetually forced to accommodate IE's underachieving status means less time spent by users in the cloud, and consequently a bit more relevance for MS. Put simply, IE's awfulness isn't a bug, it's a feature.

This is hardly an original observation, but that doesn't make it any less true. And that means that the answer to IE's persistence is the same as it's always been: for Safari, Opera, Firefox et al to consistently provide a better browsing experience and thereby compel Microsoft to fix its mistakes -- as it at least began to do with IE7. Unfortunately, that's something that they're going to have to do for themselves.

Filed Under: internet explorer, mozilla, open source, standards
Companies: microsoft