Windows 10 zero day selling for $90,000 A Windows zero day vulnerability granting hackers deeper access to compromised machines is being sold for US$90,000 (£62,167, A$124,348). The local privilege escalation vulnerability is being sold on crime forum exploit.in and promises to help attackers who already have access to hacked machines. Seller BuggiCorp claims in a …
the local privilege escalation works on Windows systems from version 2000 to the considerably more secure 10.
should be
the local privilege escalation works on Windows systems from version 2000 to the slightly less unsafe 10, and only then if we consider the rather dramatic ramp up of privacy risks in W10 not a security risk. For the rest it's OK.
Bootnote: so Win XP is still OK then? :)
It is expensive in terms of programmer hours needed to reverse engineer the hack, then find and fix the bug being exploited. However the most expensive part is usually testing. Normally both programmer hours and test resources are budgeted to current projects, and even though there are teams dedicated to this kind of work, they are normally busy with paying (support) customers.
Not that I would know much about it.
Reminds me of a story about someone whose garden was plagued by caterpillars who found an advert for a kit that guaranteed it could kill 100% of them. Kit was promptly purchased and, upon arrival, was found to be 2 small blocks of wood labelled A and B, and accompanied by some simple instructions which read: "Place caterpillar on block A, hit with block B."
Why doesn't Microsoft secretly "buy" this so they know what to patch, then release a patch before someone else releases a live exploit into the wild? I mean, $90k is chump-change to them, but a vulnerability that goes all the way back to Win2k is a possible major disaster for the rest of the world.
Why doesn't Microsoft secretly "buy" this so they know what to patch, then release a patch before someone else releases a live exploit into the wild?
Because then every halfwit in the Universe will want to sell them bugs (at present they get them for free).
That is problematic for two reasons:
- there are an awful lot of halfwits in the world;
- it is Windows. No shortage of bugs there;
- it means spending money rather than earning, and no member of MS board can ever be caught doing that without the Universe collapsing in itself.
I have may exaggerated slightly in places, but I think this just about covers it.
Microsoft has a bug bounty program:
https://technet.microsoft.com/en-us/library/dn425036.aspx
max payout is $100,000 (US dollars). $100,000 is greater than $90,000, yes, but you can only get it once, then MS fixes the hole (probably). If you "sell" the bug on the black market, you can sell if multiple times.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
