How Much Would You Pay for a Windows 0-Day?
Author: Diana Stoykova
An attacker, going by the name BuggiCorp, claims to have found a way to exploit a serious, yet undocumented, vulnerability in every version of Windows from Windows 2000 on up to Microsoft’s flagship Windows 10 operating system, which means this threat can affect over 1.5 billion users.
The bug was offered for the price of $90,000 on a Russian underground hacking forum and was discovered by security firm Trustwave. The cyber criminal illustrates his claim by posting two YouTube videos, giving detail on the way his exploit bypasses all security features in Microsoft’s newest version of the Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
The vulnerability is offered for sale to just one person, who will receive the exploit’s source code, a fully functional demo, the Microsoft Visual Studi0 2005 project file, and free future updates for any Windows version the exploit may fail to run on, as explained by Softpedia.
BuggiCorp gave several technical specifications in his forum post. Apart from suggesting the vulnerability is valid for all OS architectures (x86 and x64), he also claims, for example, that it is of the “write-what-where” type, which is a condition where the cybercriminal is able to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Will Someone Pay for the Zero-Day?
Although the claims are still unverified by cyber security specialists with Microsoft, it is very likely to be a real one and the crook could actually make more profit by pledging a bounty reward from Microsoft than to the cyber criminal community. It is believed by Trustwave that even though the zero-day is too expensive, someone will definitely pay it. Experts claim, however, that it can’t be used to infect computers, but only to give better access, because it is a second-phase exploit in its nature, gaining boot persistence.
Microsoft has invested a lot in its bug bounty program and is believed to present high levels of security, although the threats of malware on its systems are becoming more and more challenging. Still, Miscrosoft is considered to offer one of the best product security on the contemporary market.