Vupen Security, the French company who claims to have found the vulnerability, announced the achievement through a tweet. From the tweet it seems that the HiASLR/AntiROP/DEP & Prot Mode sandbox bypass vulnerability doesn’t require flash to be installed on the vulnerable system to be exploited.
Hackers may very well be able to bypass the Windows 8 security technologies like high-entropy Address Space Layout Randomisation (ASLR), anti-Return Oriented Programming and DEP (data execution prevention) as evident from the tweet, which also mentions that there is no dependency on Adobe Flash whatsoever indicating that the vulnerability is present either within Windows 8 operating system code or that of Internet Explorer 10.
The company hasn’t made the flaw available publicly and neither has Microsoft released any patch to fix the vulnerability. The zero-day vulnerability is probably the first one that affects Windows 8 and Internet Explorer 10 as vulnerabilities affecting other products on Windows 8 have already been found. Vupen hasn’t released any information about the pricing of the vulnerability yet.
There has been no news from Microsoft as yet except a statement from Dave Forstrom, Microsoft’s Trustworthy Computing director – “We saw the tweet, but further details have not been shared with us.”
Experts are of the opinion that if the mentioned vulnerability does exist, it will not go down well for the newly released operating system as Microsoft has been boasting a lot about Windows 8’s improved security.