

Security firm VUPEN claims to have hacked Windows 8 and IE10 - denzil_correa
http://thenextweb.com/microsoft/2012/11/01/security-firm-vupen-claims-to-have-hacked-windows-8-and-ie10

======
atesti
Someone should use this for something good: Jailbreaking Windows 8.

I detest the AppStore-modell and locked down devices and wish for many
companies (like the one's Raymond Chen kind of complains about in his blog
oldnewthings) to have a little revenge:

Why not have a setup-programm which also jailbreaks the Metro interface in
order to e.h. overlay a VideoLan window on top of it or enable access to all
kinds of blocked APIs (like real sockets)?

------
kevingadd
How is it legal for companies like this to sell these exploits? Aren't they
only useful for destructive (and likely illegal) purposes? If they were
actually about protecting their customers wouldn't they sell mitigation steps
and home-grown patches instead of ready-made exploit kits?

I don't understand the exploit market very well, so maybe I'm missing
something obvious here?

~~~
Antiks72
Security researchers do the work and MS wants the information for free. If MS
really wants to fix the problem, let them pay. I don't see the problem with
this.

~~~
cdh
Imagine if someone researched and sold exploits to anyone (“terrorists”,
foreign governments, etc.) internationally which allowed illegal access to
say, real-world bank vaults, nuclear military technology, or high security
prisons. Theoretically, your same logic would be valid, but I'm fairly sure
selling that kind of information on any one of those would be illegal. If not,
than it should be!

It's an exaggerated example, but it seems to me that sometimes what is in the
best interest of everyone as a whole outweighs the desire of some individuals
to exploit the weaknesses of others for personal gain.

~~~
m0nastic
I have a hard time supporting any position that argues that the dissemination
of information should be illegal. The U.S. government tried a variation of
that through export restrictions of cryptography.

I'm not a particularly big fan of firms that sell vulnerabilities (full
disclosure: I've never sold any vulnerabilities I've discovered), but I would
be incredibly uncomfortable with the idea that there should be a litmus test
for what information is safe to trade, and what isn't.

~~~
yuhong
This would only apply to _selling_ information on zero days.

