back to article Windows 10 zero day selling for $90,000

A Windows zero day vulnerability granting hackers deeper access to compromised machines is being sold for US$90,000 (£62,167, A$124,348). The local privilege escalation vulnerability is being sold on crime forum exploit.in and promises to help attackers who already have access to hacked machines. Seller BuggiCorp claims in a …

  1. Anonymous Coward
    Anonymous Coward

    I would like to correct a phrase in that article..

    the local privilege escalation works on Windows systems from version 2000 to the considerably more secure 10.

    should be

    the local privilege escalation works on Windows systems from version 2000 to the slightly less unsafe 10, and only then if we consider the rather dramatic ramp up of privacy risks in W10 not a security risk. For the rest it's OK.

    Bootnote: so Win XP is still OK then? :)

    1. Anonymous Coward
      WTF?

      Re: I would like to correct a phrase in that article..

      Why would XP be OK?

  2. Anonymous Coward
    Anonymous Coward

    This:

    "unless Redmond issues an expensive emergency fix"

    Why is it expensive???

    The programmers are employed there anyway.

    1. Bronek Kozicki Silver badge
      Coat

      Re: This:

      It is expensive in terms of programmer hours needed to reverse engineer the hack, then find and fix the bug being exploited. However the most expensive part is usually testing. Normally both programmer hours and test resources are budgeted to current projects, and even though there are teams dedicated to this kind of work, they are normally busy with paying (support) customers.

      Not that I would know much about it.

      1. Anonymous Coward
        Anonymous Coward

        Re: This:

        Perhaps MS should employ the VX'ers, they seem to have reverse engineered MS closed code VERY quickly and very successfully.

  3. 0laf Silver badge

    Who needs a zero day, I can't get my damn laptop to install an update from November.

    In new Win10 land I can't download it and patch it manually, or even easily see the error log.

  4. David Roberts
    WTF?

    Prerequisites?

    You already need access via a compromised system.

    Very much like the old Victorian adverts for an infallible way of killing mice.

    Pay, and receive instructions "First catch your mouse....."

    1. DJV Silver badge

      Re: Prerequisites?

      Reminds me of a story about someone whose garden was plagued by caterpillars who found an advert for a kit that guaranteed it could kill 100% of them. Kit was promptly purchased and, upon arrival, was found to be 2 small blocks of wood labelled A and B, and accompanied by some simple instructions which read: "Place caterpillar on block A, hit with block B."

    2. Anonymous Coward
      Anonymous Coward

      Re: Prerequisites?

      Reminds me of the Ebay item promising to cut your phone bills to £0. All you get is a form to send to BT asking them to disconnect your line.

  5. Pirate Dave Silver badge
    Pirate

    Richest company in the world

    Why doesn't Microsoft secretly "buy" this so they know what to patch, then release a patch before someone else releases a live exploit into the wild? I mean, $90k is chump-change to them, but a vulnerability that goes all the way back to Win2k is a possible major disaster for the rest of the world.

    1. Anonymous Coward
      Anonymous Coward

      Re: Richest company in the world

      Why doesn't Microsoft secretly "buy" this so they know what to patch, then release a patch before someone else releases a live exploit into the wild?

      Because then every halfwit in the Universe will want to sell them bugs (at present they get them for free).

      That is problematic for two reasons:

      - there are an awful lot of halfwits in the world;

      - it is Windows. No shortage of bugs there;

      - it means spending money rather than earning, and no member of MS board can ever be caught doing that without the Universe collapsing in itself.

      I have may exaggerated slightly in places, but I think this just about covers it.

      1. Jim Mitchell

        Re: Richest company in the world

        Microsoft has a bug bounty program:

        https://technet.microsoft.com/en-us/library/dn425036.aspx

        max payout is $100,000 (US dollars). $100,000 is greater than $90,000, yes, but you can only get it once, then MS fixes the hole (probably). If you "sell" the bug on the black market, you can sell if multiple times.

  6. Aodhhan

    90K for a LOCAL escalation? C'mon.

    Not to mention the fact, you can buy CC numbers for less than $10 each. $90K will go a long way purchasing them without taking the risk of compromising a system and trying to get a local account to escalate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020