French Company That Sells Exploits To The NSA Sat On An Internet Explorer Vulnerability For Three Years

from the kicking-open-backdoors-and-charging-admission dept

Thanks to Snowden's leaks and a host of other information proceeding those, it's become clear that intelligence agencies -- despite their constant and loud "worrying" about cyberattacks -- are more than happy to make computers and the Internet itself less safe by purchasing, discovering and hoarding vulnerabilities. These are exploited to their fullest before being reported to the entities that can patch the holes. In the meantime, the NSA and others make use of security holes and vulnerabilities, leaving millions of members of the public exposed.

It may just be arrogance. Maybe these intelligence agencies believe they're the only ones with this access and, because they're ostensibly the "good guys," any collateral damage caused by unpatched vulnerabilities is acceptable. The other option is worse: they just don't care. Their "higher calling" -- the fight against terrorists and hackers -- is more important than the security of computer users around the world.

VUPEN, a French company that sells exploits to the NSA (as well as intelligence and law enforcement agencies around the world) recently capitalized on an Internet Explorer vulnerability it's been sitting on for over three years.

Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition.

The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14-035).

The flaw affected Internet Explorer browsers eight through eleven and allowed remote attackers to bypass the protected mode sandbox.
For three years, VUPEN held onto this, allowing the exploit of four straight Internet Explorer versions. IE may be losing its grasp on home users, but governments around the world still tend to opt for Microsoft's browser (along with its suite of productivity products). VUPEN finally notified Microsoft of this vulnerability en route to collecting $300,000 for this and other exploits its been hoarding. (Additional products affected include other widely-used programs like Adobe Flash and Adobe Reader.)

There can be little doubt that VUPEN turned out these vulnerabilities to whatever intelligence/law enforcement agency would have them during the last three years. Informing Microsoft of this flaw at the point of discovery just isn't a great way to make money. IE users were left unprotected against anyone who wished to exploit the same hole the security contractor had slapped a price tag on.

VUPEN's spin on this bug hoard/$300,000 windfall conveniently leaves out the fact that it sat on these exploits for extended periods of time.
In March 2014, VUPEN has once again won the 1st place at the Pwn2Own 2014 security competition by creating and showing zero-day exploits for Google Chrome, Internet Explorer 11, Adobe Reader XI, Adobe Flash, and Mozilla Firefox. The exploits have fully bypassed all Windows 8.1 security protections and exploit mitigation in place, and all sandboxes. VUPEN has reported all the discovered zero-day vulnerabilities to the affected vendors to allow them fix the flaws and protect users from attacks.
The word "creating" implies it discovered these holes during the conference and immediately turned them over to the vendors. While it's true that the vendors can now "fix the flaws," the latter half of that sentence ("protect users from attacks") is only true going forward. There's no telling how many attacks occurred over the past months and years while VUPEN hawked its vulnerability stash.

But that's not even the most disingenuous part of VUPEN's pitches. This is:


If you can't read the text, it says:
Do not wait 6 to 9 months for vendor patches to protect your infrastructures and assets from critical vulnerabilities.
So, VUPEN will "protect" your private company from exploits it knows about but won't pass on to vendors until it's managed to sell enough protection plans. Your company wouldn't need to "wait 6 to 9 months" for vendors to patch products if VUPEN and others would turn these over to them sooner. But that's not part of the business plan. There's nothing wrong with a company trying to make money, but hoarding exploits and selling protection against them seems to run very close to extortion. It's like selling home security while running a gang of thieves on the side.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    That One Guy (profile), Aug 1st, 2014 @ 1:43am

    When asked to comment on the accusations, a VUPEN spokesman replied with 'It was a security vulnerability dealing with IE. We figured it wasn't too important to notify MS about it right away, because, let's be honest, anyone who still uses IE likely doesn't care too much about proper security anyway.'

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:14am

    "...running a gang of thieves on the side."

    Um,they're French...hello?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:31am

    If you see something, exploit something.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:35am

    Well they are French

    So no wonder they surrender our software exploits to the enemy.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:44am

    Prize is defense fund

    Wasn't there a story about someone reporting vulnerabilities who was accused of hacking?

    Maybe they will need the prize for a defense fund.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Ninja (profile), Aug 1st, 2014 @ 4:49am

    Re:

    Cue the collective laugh. Classic comedy dear sir. Have my funny vote.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:59am

    Nobody of any worth or value uses IE

    And those that do DESERVE to be exploited, to be hacked, to have their bank accounts emptied, to have their companies bankrupted, to have their lives destroyed.

    Let them burn.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:03am

    Re: Nobody of any worth or value uses IE

    Hey now it's a great tool for downloading Firefox or any other browser if you're not savvy with a command prompt!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:24am

    Re: Prize is defense fund

    A story? Like there was only one.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:25am

    If you still use internet explorer in an age where even "ol'grandma" knows it sucks and uses either chrome of firefox, you deserve everything bad you get.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:27am

    Re: Nobody of any worth or value uses IE

    Not sure where this "they deserve it" cheer leading comes from.

    Possibly it is due to repressed anger and self hate over being a past victim?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:28am

    Re:

    And another case of victim blaming - I don't get it - please explain.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:53am

    Re:

    from the article
    "showing zero-day exploits for Google Chrome, Internet Explorer 11, Adobe Reader XI, Adobe Flash, and Mozilla Firefox."
    So people using Chrome and Firefox "deserve everything bad" they get too?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 7:03am

    Re: Re: Nobody of any worth or value uses IE

    "Possibly it is due to repressed anger and self hate over being a past victim?"

    Wrong. I've NEVER used IE, because I have the experience and savvy to see crap software coming a mile away.

    No, it's due to my annoyance at the enormous price that all the rest of us have had to pay for the stupidity, carelessness, incompetence and ignorance of those who use OR who mandate the use of IE. The aggregate price tag for that over the past few decades is enormous, and the bill keeps going up. I could spend (and have spent) pages trying to explain the scope of that, but since I have a meeting shortly, let me sum up: it's possible that IE is the most expensive piece of software, in terms of what the vulnerabilities have cost us, ever deployed. (And given the existence of Adobe Acrobat, that's saying a lot.)

    I'm at the point where I really do wish that anyone launching IE (a) would be instantly banned for life from the Internet and (b) would have their media wiped clean and reformatted.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 7:12am

    Re: Re:

    "So people using Chrome and Firefox "deserve everything bad" they get too?"

    No. Just IE users. Do try to pay attention.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    A Non-Mouse, Aug 1st, 2014 @ 7:53am

    Higher calling? Ha!

    "Their "higher calling" -- the fight against terrorists and hackers -- is more important than the security of computer users around the world."

    Their "higher calling" has never been about fighting terrorists and hackers. It has always been about funneling billions of dollars to their corporate sponsors. The fight against terrorists and hackers is just their latest excuse for doing so.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    a non, Aug 1st, 2014 @ 8:26am

    gee,I sure wish I had super special 'see bad software from a mile away' powers, like you.

    such hate in some of these posts, and so poorly focused at that...you should be ashamed.


    I speculate we've not even seen the tip of the iceberg of this awful paradigm of exploits. Currently incentives are biased towards bad code, non-reporting, and even deliberately writing exploits into code. Unless that changes, it's only going to get worse. What stops the big players from secretly developing and bringing exploits of there own products to market? the three letter guys? they would be their best customer. Not even open source is safe- make good code for free, or code an 'opps' you might be able to sell for 10's of k's and the worst you'll get IF you get caught is Linus calling your work retarded. We've just found out Debian doesn't even vet submitted work on crucial systems (gcc in this latest example). Freakin Debian! wtf?
    Someone please explain why I'm wrong- I'd really like to be wrong on this.

    Ps- I'm not claiming the gcc thing is/was deliberate- seams suspect to me, but I'm no where near knowledgeable enough on the particulars to have an informed opinion. haven't read any accusations, though I haven't looked for them. Shocking to me that it made it through the system though- seams like there's something really wrong with that.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    ottermaton (profile), Aug 1st, 2014 @ 8:41am

    good guys

    Maybe these intelligence agencies believe they're the only ones with this access and, because they're ostensibly the "good guys,
    Oh, when the President does it, that means that it is not illegal.
    -Richard Milhous Nixon

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    ottermaton (profile), Aug 1st, 2014 @ 8:47am

    Re:

    Someone please explain why I'm wrong- I'd really like to be wrong on this.

    Easy.

    the tip of the iceberg of this awful paradigm

    You used a tired metaphor combined with an overused cliché. Clearly you can't think for yourself.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), Aug 1st, 2014 @ 8:58am

    Re:

    The fact is that writing good, solid, secure code of any complexity is an incredibly difficult thing to do. All code is guaranteed to contain vulnerabilities, whether open source or not. There's no need to speculate about ill intent or incompetence (particularly since, in the end, it doesn't matter as much why the vulnerabilities are in there as it does detecting and eliminating them). It's just the nature of complexity.

    "We've just found out Debian doesn't even vet submitted work on crucial systems (gcc in this latest example). Freakin Debian!"

    This is because gcc isn't Debian's project. They, like every other distro, are counting on the project team to do the proper vetting. This is no different than how commercial software works, btw -- each team that depends on another team's work expects the other team to do all the proper QA steps.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    ottermaton (profile), Aug 1st, 2014 @ 9:05am

    Re:

    We've just found out Debian doesn't even vet submitted work on crucial systems

    That is utter and complete bullshit.

    Prove me wrong

    Easy.

    Go look up the version of gcc in STABLE Debian. Oh, lookie, I'll even give you a link.

    The version of gcc that Linus is having a hissy fit over is NOT in "crucial" systems. It IS being vetted. It is ONLY in TESTING which is the reason why they call it _testing_

    Do us all a favor and don't comment again until you have a clue.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Chris Brand, Aug 1st, 2014 @ 10:18am

    This really is an area for government intervention

    Because the "free market" incentives are all wrong here. We need laws that make it illegal to pass vulnerability information on to anyone other than the vendor as the first recipient, along with timeframes by which that needs to be done if you discover a vulnerability yourself. And, of course, legal protection for the people who follow those rules (no more "how dare you tell us our product has a vulnerability! Unleash the lawyers!").

    That would do far more to protect computer users than the "share everything with the government" laws that have been proposed.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 11:25am

    Sales are determined by the reputation of the maker. Reputation depends on the perception of a perfect product or service. Any fault, actual or perceived, detracts from that perfection. Thus, shoot the messenger.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 11:37am

    Re: Re: Re: Nobody of any worth or value uses IE

    Don't understand this at all. I'm grateful that so many users have poor security practices. It means that I don't have to do much to secure myself. If the average user had good security practices, malware would hardly cease to exist, black hats would just up their game and then I would have to up my game to protect myself. If the average user had good security practices I would need a fucking PhD in computer security to protect myself. You have it backward. You should be grateful.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    JP Jones (profile), Aug 1st, 2014 @ 12:25pm

    Re: Re: Re: Nobody of any worth or value uses IE

    Some of us work in jobs that only use IE. I don't use it on any of my home computers, but stupidity on the case of the user is NOT always their reason for IE.

    Case in point: I'm writing this on IE from a work computer. It is literally impossible for me to use another browser. Heck, my employer still uses Internet Explorer 8.

    Oh freaking well.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    JP Jones (profile), Aug 1st, 2014 @ 12:47pm

    Re: Re: Re:

    No. Just IE users. Do try to pay attention.

    No, it was a legitimate question. There is no such thing as perfect security. By your logic, if you don't use a Linux-based operating system with advanced cryptology and custom code you "deserve everything you get." Guess what? Not everyone has the access or technical knowledge to be perfectly secure. Keep in mind, even if you do all of that stuff, you still aren't completely secure.

    This is like saying that if a guy gets mugged on the street and has his wallet stolen he "desevered everything he got" because he wasn't a black belt in karate, or that a homeowner who gets his house broken into "deserved everything they got" because they didn't install bars on all the windows, barbed wire fence, and a 24-hour armed guard.

    The fault always lies with the criminal, not the person they've abused. Sure, victims usually have ways to avoid becomming easy to exploit, but when they're exploited, it's still the criminal's fault. While I wouldn't use IE on my home computer for exactly the reasons you listed (it's not very secure) and others (the interface is stupid and slow), I still don't believe someone who gets their computer hacked or otherwise exploited is at fault.

    Alexis Ohanian said it well in the Munk debate with Glen Greenwald..."It's like if the [city] police learned about a flaw in all the locks in [your city], one which makes it easier to break into your home, and instead of telling people about it and having it fixed they keep that information to themselves so they can use it if they need to get into someone's house to stop crime." (paraphrase mine).

    How is this OK?

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 1:41pm

    Re: This really is an area for government intervention

    Even that restriction is a bad idea. Perhaps against selling it commercially maybe, but ostrich thinking Security-Through-Obscurity is common enough in companies that you may need to release it publicly for them to do anything about it at all.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 2:46pm

    Re: Prize is defense fund

    Happened many time. It's perfectly OK to exploit vulnerabilities for personal gain and nefarious reasons but to find them and report them is illegal and may get you ignored or sued.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 4:59pm

    Re: Re: Prize is defense fund

    It also can and has resulted in criminal charges.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:06pm

    Re: Re: Re: Nobody of any worth or value uses IE

    It is true that the cost of criminal activity upon society is large, however - the contribution of hacked browsers (all of them) pales in comparison to that perpetrated by banksters, wall street, and other crooks.

    So, I guess what I'm saying is that your anger maybe misdirected.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Padpaw (profile), Aug 1st, 2014 @ 5:20pm

    why isn't this classified as extortion?

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Aug 1st, 2014 @ 5:21pm

    Re:

    "Sales are determined by the reputation of the maker"

    Yeah, in a textbook example. But in the real world you have corporations like Microsoft which use their market position to bully OEMs into what is now commonly referred to as the Microsoft tax. For some time, it has been difficult for the common person to purchase a non-Apple computer that does not come with Microsoft OS (which includes IE) pre-installed. It is even more difficult to purchase one with an alternative OS installed. So, ummm - learn how to build your own machine and be your own judge.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    nasch (profile), Aug 1st, 2014 @ 5:35pm

    Re: Re: This really is an area for government intervention

    Perhaps against selling it commercially maybe, but ostrich thinking Security-Through-Obscurity is common enough in companies that you may need to release it publicly for them to do anything about it at all.

    Not that I agree with his plan as described, but he said "We need laws that make it illegal to pass vulnerability information on to anyone other than the vendor as the first recipient". That wouldn't preclude public release if the vendor didn't do anything about it.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Aug 2nd, 2014 @ 10:32am

    Re:

    Get off your high horse, we're trying to hold together a society here where people actually help each other to be safe and happy instead of blaming every victim for their own situation.

    Chrome and Firefox have both had a ton of exploits and problems, but we better ignore that since it doesn't fit into a snazzy soundbite. Besides, the IE hating bandwagon is just too big and comfy to let pass by.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Aug 2nd, 2014 @ 6:04pm

    Re: "...running a gang of thieves on the side."

    The expression "filer à l'Anglaise" has no equivalent in English, style sparsely used in children cartoons wherever french is still spoken (like where I live, that huge hydro powerhouse not to mess with north of New York ;)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.