Windows Zero-Day Affecting All OS Versions On Sale For $90,000

An anonymous reader writes: "A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM," writes Softpedia. The zero-day is up for sale on a Russian underground hacking forum, and is currently available for $90,000 -- after it was initially up for $95,000. The hacker is saying he'll sell the zero-day to one person only, who'll receive its source code and a working demo. Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features. While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

Its not over priced

if some one will pay it.

Re:Its not over priced

Hmmmm is it overpriced if, at a lower price, more would buy it. So many more that the difference in price is compensated for by the increase in customers? I am not trying to be annoying, just philosophical on the meaning of "overpriced"

Re:Its not over priced

[Junta]

But the person said they are going to sell to *one* person. They don't want to sell to multiple people.

Re:Its not over priced

[NatasRevol]

He only wants one customer, so I'd say it doesn't matter.

Re:Its not over priced

But the person said they are going to sell to *one* person. They don't want to sell to multiple people.

Yep.

And you're the only one I'm going to sell the Brooklyn Bridge to.

Promise!

Re:Its not over priced

[110010001000]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Re:Its not over priced

[Opportunist]

Isn't it heartwarming how quickly those Commies embraced Capitalism?

Re:Its not over priced

[JustAnotherOldGuy]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Exactly. Russian hackers are known for their unfailing honesty and fair dealings in their business practices.

Re:Its not over priced

Thank goodness Western hackers only do it for God and country

Re:Its not over priced

[sshir]

He will not sell another copy if he wants repeat business.
He will not sell if retribution for such action is highly likely.
Plus it's possible to guard against it. For example: put the payment into escrow with condition for money release if vulnerability isn't patched by the end of the year.

Re:Its not over priced

[110010001000]

You are right. People will never trust "BuggiCorp" again. And he can't change his handle, it is on his passport and his Mom would be upset too. Thanks for the tip.

Re:Its not over priced

[Falos]

Offering a $100 water bottle to someone dying in the desert is overpriced. You people are deliberately spreading this bullshit about "There's no such thing as 'overpriced' we can charge anything for anything".

Using the imaginary property racket to monopolize a $500 pill is overpriced. Oops, someone found a functional reprint and is giving it away, now your angry shareholders are gonna have you black bagged.

Re: Its not over priced

IT's those who do it for god and country, who have to be feared...not those who do it for money!

Re:Its not over priced

[pr0fessor]

That's about 6 million rubles is that enough to retire?

Re:Its not over priced

[AlphaBro]

The first two points are valid. That last, not so much. A vulnerability can be patched at any moment, intentionally or not. This is especially true if live 'spoits are in play.

Re:Its not over priced

[sshir]

I'm not economist, but still, I think you are wrong. By saying "$100 water bottle to someone dying in the desert" you are intentionally conflating water's utility in that particular situation with water's _marginal_ utility and cost. Who knows how that particular bottle ended up in the desert, might be that the seller is dying from thirst himself, etc.
BTW, marginal utility (and marginal cost) of that vulnerability is exactly zero. Do you expect getting it for free?

And $500 pill might be an abuse of monopoly position, and might not be (e.g. massive R&D with small number of cases). And while government gives copyright protection it also has the power to rein on monopoly abuses. Blame your slow or corrupt or incompetent government for not slapping pharma's hand. Again - granted monopoly comes with price controls - pharma might self regulate if they wish but don't have to (they have shareholders to feed, risky R&D investments to make, etc).

Re:Its not over priced

Highly unlikely, considering that this exploit is apparently valid for all versions of Windows. This set contains many versions of Windows that have gone unsupported for years.

Re:Its not over priced

>There's no such thing as 'overpriced' we can charge anything for anything"

This is the bullshit I called out, because I'm tired of hearing that ridiculous idea. I genuinely invite opposition on that callout.

I mean, I don't really mind if you'd prefer to pick over details in off-the-cuff, hyberbolic examples, but that's low-hanging fruit and meaningless. I won't bother defending them, any more than a poorly-doodled cannon or catapult in a chalkboard physics explanation.

Re: Its not over priced

So water is so rare that someone ran out and is dying from thirst and you think $100 is overpriced??? You obviously don't understand what a market and supply and demand are. If it cost me $98 to ship that bottle of water to the dying man and I sell it for $100 is it still overpriced? Lots of variables a market has... What if I sell water at $100 now because if I get a cash flux now I will be able to import more and sell more water later for half that price.

How about you stop pretending like you know the finer workings of other people's businesses, if the price is set and someone buys it than that is the price... That's how market value works. Only idiots say "I over paid" no you didn't you paid what you thought the value of an item was. You may have changed your mind but there's no such thing as over paid. Over priced means no one will buy it. But if he sells it than guess what... It wasn't overpriced after all.

This is not to be confused with how much you would pay. But that if anyone will pay it than its at or sets the market price.

Re:Its not over priced

[JustAnotherOldGuy]

That's about 6 million rubles is that enough to retire?

No, not nearly enough unless you're already 75 years old, and maybe not even then. It works out to just under $90K ($89,413 according to google). You could live in style for a while but it's hardly retirement-level money.

Re:Its not over priced

[pr0fessor]

I have no idea how the cost of living differs I have friends in countries where $90k USD would be about the same to them as it is to me and some countries where it would be more, of course $90k is a lot more in kansas than new york and that's the same country.

Re:Its not over priced

[JustAnotherOldGuy]

I have no idea how the cost of living differs

It differs based on location and how old you are. No matter where you live you'll need more to retire at 50 than at 70, assuming you want to live to reach 80 (for example).

Re:Its not over priced

you're not an economist but if I happen to wander past at that time you tried fleecing someone _dying_, then you'd find the swift blade of my steel etched swiftly in your skull.

Re:Its not over priced

Thanks for confirming that all people spouting economics are twats.

Re:Its not over priced

Offering a $100 water bottle to someone dying in the desert is overpriced. You people are deliberately spreading this bullshit about "There's no such thing as 'overpriced' we can charge anything for anything".

Using the imaginary property racket to monopolize a $500 pill is overpriced. Oops, someone found a functional reprint and is giving it away, now your angry shareholders are gonna have you black bagged.

Wrong. You're forgetting that someone had to pay for the resources to find the stupid asshole who went into the desert without water, then take water TO him, running a range of risks to himself, inconveniencing him severely unless he HAPPENED to be heading that way anyway... Or do YOU go trekking into the desert with spare bottles of water out of the kindness of YOUR heart? Do you PATROL the desert against the possibility that some fucktard might be wandering around out there with $100 in his pocket, but not enough water? Of course not. You'd have to PAY someone to do that. There's also probably a dozen other considerations I haven't covered that justify the added expense.

To give you another example, if you've ever found yourself driving through Nowhere'sville, and been shocked to find gasoline costs two or three times as much per gallon than it does nearer your home, and figure they're gouging you because they know you may have no other choice, you're forgetting someone has to be PAID to live in a benighted shithole out in the middle of fucking nowhere, and bear the expense of trucking in special, all THEIR necessities of daily life just to keep that little one-horse dump of a town in existence. It's not gouging, in fact, they're probably barely scraping by because assholes who think they're gouging will plan NOT to buy shit there, and will blow through at 70+ mph, without stopping for gas because they had the good sense to fill up in Barstow, and maybe even top up a few 5-gallon gas cans strapped to the back of the truck, just to make extra-sure they DIDN'T have to cough up $4.50 or 6 bucks or whatever it is now, for a gallon of cheap, dirty, 85 unleaded gasoline!

To get back to the hundred dollar bottle of water... you also have to cover the cost of legal fees he might incur if you got sick after drinking the water, and decided to sue our desert-hydration entrepreneur, and of course, also cover his opportunity-cost reimbursing him the money he COULD have been making if he hadn't had to waste the time scouring the desert for people who failed to plan properly, or at least who had a run of bad luck with being in an inhospitable place without the basic necessities of survival... all amortized over the few of these expensive bottles of water they sell. It's basic fucking supply and demand. You'd know that if you'd stayed in school.

In short, to sum-up, why not leave economics to people who know what the fuck they're talking about?

Re:Its not over priced

[FilatovEV]

That's about 6 million rubles is that enough to retire?

It's a not-too-much-qualified programmer's wage during 4 years, assuming a domestic Russian employer (a monthly wage of 120k roubles is what pretty much any guy can get doing programming in a Russian company). But a person that qualified always has the option to work for a Western company, in which case it's about a year's wage, give or take.

Re:Its not over priced

[FilatovEV]

Isn't it heartwarming how quickly those Commies embraced Capitalism?

It wouldn't harm to do a bit of reading to better appreciate the Russian culture since after the collapse of the Soviet Union. You could start with a popular 1997 sci-fi novel.

Basically there was wild Capitalism since 1991, and it's not fun.

Re: Its not over priced

How about you stop pretending there's no such thing as exploitation, manipulation, extortion, etc etc etc that deliberately wedge a very real gap between market value and price tag. The biggest gap legally possible, as business logic dictates. I can respect someone who claims they're only following the natural order of things, but you're only going to make me laugh when you get pious about it.

Wartime gouging had at times been so laughable it's got laws written. Again, it's fine if the bullshit is "just good sense" on your part, but don't pretend it's not bullshit.

Re:Its not over priced

So much tryhard, and all you're saying is "well it's intrinsic cost".

GP isn't talking about intrinsic pricing and you know it.

The only uncertainty here is whether your BS is (a) deliberate and manipulative; (b) you're rationalizing without knowing it; (c) you swallowed this brainwash historically and can only parrot it.

Re:Its not over priced

[lsatenstein]

NSA. Homeland Security, and other goodguys (sic) will do a joint purchase

It is worth what somebody will pay for it

[thue]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

Re:It is worth what somebody will pay for it

I got Windows 10, including all its vulnerabilities, for free. No way is anyone paying $90K for just one of them.

Re:It is worth what somebody will pay for it

[mrchaotica]

They failed to sell it at $95,000, so that amount was overpriced. Since it hasn't sold yet (or at least, Slashdot hasn't reported its sale yet), whether $90,000 is overpriced remains to be seen.

Re:It is worth what somebody will pay for it

I just woke up one morning, and it was fucking there. I assume it was free, but I really don't know for sure. I just woke up the computer from sleep mode and there was Windows 10 staring back at me. On top of that, it had uninstalled 3 of my apps because it said they were not certified to work with Windows 10. It didn't even ask, it just nuked them. Luckily they were things that I almost never use, but that was wrong. Fuck Windows 10.

Re:It is worth what somebody will pay for it

[ripvlan]

While I agree with your sentiment - something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

I suppose it depends upon how many bidders there are. If there are 20 people who might want to buy it - but only 1 buys it - then it might have been too high a price.

Years ago a friend told me - when discussing setting prices for a tag sale - go on eBay to determine the value of something. It is like a commodities market and shows the price that the market will bear.

Re:It is worth what somebody will pay for it

Windows. The cheapest, best option. If your time is worthless.

I used to say this about Linux, but it's become better than Windows.

Re:It is worth what somebody will pay for it

[b0bby]

something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

Well, that's the market - all you need is one "idiot" in this case. A "fair" price can be influenced by a lot of things, but a market price should be the highest price the market will bear.

Re:It is worth what somebody will pay for it

[bondsbw]

In this case, due to supply vs. demand (where supply = 1) it is the same as literally the highest price anyone will pay for it.

Re:It is worth what somebody will pay for it

[geekmux]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

Re:It is worth what somebody will pay for it

[JcMorin]

I tend to agree since the hacker said he will sold it only once, that seems to be a good deal for Microsoft.

Re:It is worth what somebody will pay for it

[Flavianoep]

They must be trying to figure out what the vulnerability is, or if it actually exist at all.

Re:It is worth what somebody will pay for it

[Dr_Barnowl]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

Re:It is worth what somebody will pay for it

Windows. The cheapest, best option. If your time is worthless.

I used to say this about Linux, but it's become better than Windows.

Or you got a clue. That does tend to happen over time. Sometimes. Not all Linux users are noobs constantly making forum posts wondering why something doesn't work. Some of us know what we're doing. We set a thing up once and it continues to run smoothly while we do whatever it is we intended to do with the system.

    For the clueful it's always been better than Windows with the one exception of heavy gamers. Linux was rock solid stable back in the crashy Win 9x days, it has one hell of a lot less remotely exploitable vulnerabilities and plenty of ways to reduce your attack surface (don't run shit like Sendmail). It has no viruses in the wild despite the powerful high-bandwidth tempting targets that > 50% of all web servers would make. It has centralized package management instead of chaotically letting each application run its own updater like in Windows so it's easier to be sure things get patched. It also has options to mitigate threats like grsecurity, selinux, and building source with SSP.

It also comes with the bonus of not dealing with Microsoft, and avoiding all the baggage attached to that. I know some of you love to hate that reason - maybe you must deal with Windows at work so you have to rationalize it. That's understandable, but no reason to disregard the long hostile history of MS and no reason to ignore the wisdom of those who have witnessed it personally. Their new thing is using a "free" upgrade to spy on their own customers - that's just the latest in a long line of abuses, some illegal, most not, all hostile. Some of us got tired of saying "ouch ... more!" because we're not into electronic S&M.

Re:It is worth what somebody will pay for it

I realize this is a troll, but here I am responding:

Windows. The cheapest, best option. If your time is worthless.

I used to say this about Linux, but it's become better than Windows.

Linux has never been an option when your time is worthless. Anyone thinking that there is no time commitment when learning how to use a tool has a broken valuation standard - they're also ignoring all the time they have spent learning and fighting with the O.S. they are currently using.

I've been using Linux since the 1.x days and it's always been a *valuable* tool. I've also spent sufficient time using Windows, Mac OS and others to know that there's no less fighting with insanity - just different flavors. Thankfully I haven't had an installation of Windows for years so I haven't been inflicted with the malady of the release 10 forced upgrade. Serves the fools right since they also forgot to add a factor for freedom to their valuation equation.

Now if you'll excuse me I'll go back to grumbling about systemd, GNOME 3.x and other real problems . . . except we can route around the damage.

Re:It is worth what somebody will pay for it

[bbelt16ag]

you don't even got to learn to use a clutch anymore, how hard can it be? C is C, .net is .net whats the damn big deal? move people move! Microsoft is the Villain, always has been always will be.

Re:It is worth what somebody will pay for it

[jo7hs2]

Actually, EPA mileage estimates usually come out slightly *higher* for automatics now. Just saying.

Re:It is worth what somebody will pay for it

[Opportunist]

Timeo Danaos et dona ferentes

And considering the gift mentioned in this quote was the Trojan Horse, I can't think of a better phrase describing how I feel about Windows 10.

Re:It is worth what somebody will pay for it

[Opportunist]

Windows. Proof of the "you get what you pay for" proverb.

Re: It is worth what somebody will pay for it

... your ... apps ?

Re:It is worth what somebody will pay for it

And the way to find that is to hold an auction where all interested parties bid the price up to that point. Not throw out random numbers to see if there's any takers.

Re:It is worth what somebody will pay for it

[Opportunist]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound that you could get out of your mainboard and it's even nontrivial for people without a decent Linux background to get their graphics acceleration working. And even games that allegedly have Linux support usually mean that "it should run in Mono, right?"

In other words, Linux on a server? Any time. And probably better supported and faster than what you'll get on Windows.

Linux on the desktop? Not if gaming is your goal and/or nonstandard non-server hardware is what you'll be using. This is not necessarily the fault of Linux itself, more one of hardware manufacturer delivering zero to little support for their hardware for use in Linux. Which in turn is mostly due to most people buying their hardware for Windows and only installing Linux as an afterthought, only to find out that their Hardware is not working as it should, blame Linux and switch back.

And no, I don't have a solution ready for this.

Re:It is worth what somebody will pay for it

[brxndxn]

EPA can't drive stick. And, they drive slow as all hell in automatics. No one gets the EPA mileage in an automatic unless they drive like a total asshole on the road (total slow fuck). Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Re:It is worth what somebody will pay for it

They must be trying to figure out what the vulnerability is, or if it actually exist at all.

Or even Microsoft's billions aren't enough to keep playing whack-a-mole with all the vulnerabilities in Windows.

That or they don't want to be in a position of rewarding this kind of research. Some companies do have bug-bounties because they want to openly attract white-hats but I've never heard of MS doing that. MS probably just wants the whole thing to go away. It won't, but when you have a monopoly you can afford to pretend.

Re:It is worth what somebody will pay for it

[David_Hart]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

More like a model-T where you have to set the gas, choke, and then hand crank it. Some distributions are more user friendly than others, but if you want to do anything more than web browsing and document editing it requires a steeper learning curve than learning how to drive a stick.

Re:It is worth what somebody will pay for it

[Gr8Apes]

Windows. The cheapest, best option. If your time is worthless.

Linux has never been an option when your time is worthless. Anyone thinking that there is no time commitment when learning how to use a tool has a broken valuation standard - they're also ignoring all the time they have spent learning and fighting with the O.S. they are currently using.

This is what people don't understand. A LiveCD(DVD) will get you running on Linux with minimal fuss, much like the initial crappy windows install. Windows was alluring because it was simpler for many, and came pre-installed. Plus, Office ran on it. Office is now no longer as important (seriously, it isn't, you can live without it even in an Office oriented world) and the costs of keeping Windows running and not invading your privacy IMHO has now exceeded learning Mac OS or Linux. Hell, even learning how to build and install Gentoo might be simpler.

Now if you'll excuse me I'll go back to grumbling about systemd, GNOME 3.x and other real problems . . . except we can route around the damage.

Systemd is banned on any system I run. Any *service* that demands that POSIX compliant apps be rewritten to its non-POSIX standards is a massive FAIL. The sooner the various systemd pandering distros realize that, the better. Or maybe not. After all, NetBSD, or any BSD really, is rock solid and a better system in many ways. And no systemd there. :)

Re:It is worth what somebody will pay for it

No viruses in the wild? Oh really? Ever heard of mumblehard?

Re:It is worth what somebody will pay for it

[olsmeister]

Also, nobody asks to borrow your car (computer) because they cannot operate it.

Re:It is worth what somebody will pay for it

[flyingfsck]

No, Winston Churchill only said never 7 times in that speech, not 8.

Re:It is worth what somebody will pay for it

[flyingfsck]

Yes, yes, Linux doesn't work on toys, but it works on everything else. Windows only works on toys.

Re:It is worth what somebody will pay for it

[Opportunist]

The problem is, most of the Joe Randomusers out there use their computer primarily as a toy.

What Joe wants is to look at his Facebook, read his mail, chat with friends and play some games. And that's it. Yes, we up here in our beautiful ivory tower, we might have some lofty ideas what our computers should or should not do, but that matters little to the 99% of Joes out there. They don't care about spyware in their OS. They don't care about only being allowed to install software from the walled garden (because that's all THEY want). And they don't give a shit that we rant and rave against it.

And neither do hardware makers. They care about sales numbers. If that means to offer locked down hardware that is to the liking of governments and corporations, they will offer locked down hardware. Not because they are "evil", because they hate free speech or because they don't want us to actually own the machines we pay for, but simply because that means more sales.

So yes, if you want freedom, you have to cater to that Joe out there who wants to play with his toys. Because we are few and the Joes are many. So we need those Joes that want their toys in our boat to get the hardware (and software) makers to do what we want.

Re: It is worth what somebody will pay for it

[Type44Q]

Notoriously most non-server related hardware.

You're years out of date.

Re:It is worth what somebody will pay for it

> (you know the kind, with the 20 buttons)

Windows doesn't support these either. You eventually hit the nail on the head, but it really should be given top billing: the issue is companies who are willing to support Windows, but not willing to support Linux. This is presumably a cost-benefit analysis for them, and not all make this same decision. Do what you can to choose companies that support a wide variety of OSes!

> And even games that allegedly have Linux support

What are you on about? Linux compiled games work for me the same way Windows compiled games do. I click and play.

Re:It is worth what somebody will pay for it

It's an estimate. It's probably a good one too- most stick drivers aren't going for efficiency all the time, and automatics have gotten smarter at this than in the past. But if you drive a manual for gas mileage, you'll beat the robot still, for sure.

Re:It is worth what somebody will pay for it

[Opportunist]

The problem is not just me. The problem is Joe who gets fed up with Windows and eventually gets off his butt and tries something else. Joe will invariably have hardware in his system that will not work well with Linux. Yes, it's a problem of the hardware manufacturers, but in the end, it's ours. Because Joe doesn't care WHY his hardware isn't supported, he cares THAT it isn't supported.

And I could think of quite a few games that refused to work for me in Linux. KSP being maybe the one that most people here would know best.

Re:It is worth what somebody will pay for it

[thegarbz]

A few more skills, in exchange for more efficiency and better performance.

That is actually a very awesome and relevant comparison given that these days you get better efficiency and better performance out of a variety of the modern automatic transmissions and the only thing that stick shift drivers still have to boast about is more control over their engine.

Re:It is worth what somebody will pay for it

[fahrbot-bot]

but there is little to no support for programmable mice (you know the kind, with the 20 buttons)

Twenty buttons on a mouse? At point, wouldn't it just be easier to mount an LED on the bottom of your keyboard and use *that* as your mouse?

Re: It is worth what somebody will pay for it

[Opportunist]

Ok, then. Since I could not locate them and you're obviously far more knowledgeable, I'm really sure you could point me to the Linux drivers for the Asus Xonar Essence STX so I could actually use it for more than the built-in sound card on the mainboard (for which I also have no drivers, but then again, I don't use it, so...) and tell me how to make a Mad Catz R.A.T. 7 Gaming mouse work (not even talking about drivers for the special tidbits, I'd be happy if all my clicks were noticed already) in XWindow? And while you're at it, please point me to the Linux version of the configuration tool for the Thrustmaster Warthog HOTAS. And please point me to the Linux drivers for the USB soundcard that comes with the Sennheiser D363 headset, that would be great.

Thank you!

Re:It is worth what somebody will pay for it

[Minupla]

It can't be that good an exploit. M$ pays up to 100KUSD for bug bounties. If it was that good, they'd just sell it to M$, instead of discounting to 90K.

Expect it'll get discounted again before sale. Although they have to be happy about the PR, might help them get a sale.

Re:It is worth what somebody will pay for it

[thegarbz]

Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Lol nice try. But not only are the EPA estimates gamed in a way that unless you drive downhill both ways you're not going to beat them, but manufacturers have in the past year come out of the woodworks showing how they themselves game the system to achieve even lower mileage than the car would in any ordinary situation.

Re:It is worth what somebody will pay for it

[Opportunist]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Re:It is worth what somebody will pay for it

>

Please learn how to quote properly, this isn't 4chan. ;^)

Re:It is worth what somebody will pay for it

[Mashiki]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

The only downside is that for gaming in general, 'nix is pretty shitty. I know some idiot will go, blahblah,gaming,blahblah,nicheshit. Keep in mind that most of what people use 'nix for would also be considered niche shit. That's changing at last though, especially with vulkan and the number of developers that are on board with it vs DX12 and that all video card manufacturers are on board with it. With any luck it'll finally put the nail in the coffin of OpenGL and that giant clusterfuck it has yet to recover from back ~5 years ago. They get it worked out, and we'll finally see "year of the 'nix desktop" ... finally... after almost 20 years of people claiming it so.

Re:It is worth what somebody will pay for it

[fahrbot-bot]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Nope. I've just been around long enough to know how ridiculous some hardware can be and am not assuming you're joking. I'm *sure* someone out there actually has a mouse with 20 buttons on it -- probably that they custom built -- or will want one after reading your post. Just you wait. Someone is going to ask where you got it. :-)

Re:It is worth what somebody will pay for it

I completely believe you when it comes to modern cars. However, as anecdotal evidence, I have routinely beat epa estimates for 90's era vehicles when travelling entirely on the freeway in automatics. Just wanted to add that since it paints the picture that epa numbers were not gamed that hard until the 2000's or later.

Re:It is worth what somebody will pay for it

[drinkypoo]

EPA can't drive stick. And, they drive slow as all hell in automatics. No one gets the EPA mileage in an automatic unless they drive like a total asshole on the road (total slow fuck).

I have no trouble getting the EPA estimated mileage in my 1997 Audi A8 Quattro, and that was back in the day when the EPA mileage estimates were invented from dreams and unicorn jism. It's got 230,000 miles on it, and still gets over 19 MPG combined. The window sticker estimate is 17/25; the 3.7 liter FWD model has an 18 combined estimate and I have the 4.2 liter AWD version. (The EPA has not published a combined mileage estimate for my vehicle.) And here's a couple on Fuelly getting over 21, they must be doing pretty much all-highway. And I make pretty good time, I don't hesitate to pass, etc. I just don't waste fuel. Enjoying it isn't wasting it, but if you're on the brakes all the time, that is. And mind you, it has a fairly old-school automatic... clutch packs and not bands, but still triple-planetary.

Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Most people don't downshift soon enough on flat, and/or downshift too soon on a hill, and they fail to get good mileage.

Re:It is worth what somebody will pay for it

A few more skills, in exchange for more efficiency and better performance.

That is actually a very awesome and relevant comparison given that these days you get better efficiency and better performance out of a variety of the modern automatic transmissions and the only thing that stick shift drivers still have to boast about is more control over their engine.

On slippery winter roads control over the engine matters.

Re:It is worth what somebody will pay for it

[tlhIngan]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound that you could get out of your mainboard and it's even nontrivial for people without a decent Linux background to get their graphics acceleration working. And even games that allegedly have Linux support usually mean that "it should run in Mono, right?"

In other words, Linux on a server? Any time. And probably better supported and faster than what you'll get on Windows.

Linux on the desktop? Not if gaming is your goal and/or nonstandard non-server hardware is what you'll be using. This is not necessarily the fault of Linux itself, more one of hardware manufacturer delivering zero to little support for their hardware for use in Linux. Which in turn is mostly due to most people buying their hardware for Windows and only installing Linux as an afterthought, only to find out that their Hardware is not working as it should, blame Linux and switch back.

And no, I don't have a solution ready for this.

It's not the esoteric hardware that's the problem, it's the whole Linux development philosophy needs to change for Linux on the desktop.

Server use cases are completely different from desktop use cases, and much conflict has occurred over stuff to get Linux on the desktop.

Things like NetworkManager, PulseAudio, SystemD are required on the desktop because they enable operations that users expect from a decent desktop OS. And yet if you listen to the Linux communities at large, you'd think each one was the devil for being large, monolithic and completely "not Unix".

And that's ignoring the need to standardize on a desktop environment.

NetworkManager is completely necessary even though it doesn't seem to do much - because mobile computers will connect to multiple networks with multiple requirements all the time - /etc/network/interfaces was just not designed to handle scenarios where WiFi may attach to a home network, a work network, and multiple public networks, each with a varying configuration of static/dynamic IPs, firewall, VPN, and other settings. Heck, most OSes note the MAC address of the gateway router to figure out what network they're on to make life easier (i.e., if the gateway is the one you marked "Home", then the network manager stack will configure the network for your home).

PulseAudio is another one, something necessary because sound cards will appear and disappear constantly. (I.e., stuff like Bluetooth headsets, USB DACs, etc). Again, in a mobile use case, a user may dock their PC which has a USB DAC associated with it, and the moment they do, audio should seamlessly switch to it. (Granted, some application can use "exclusive" mode and they may need restarting in order to associate with the proper hardware. But in the general use case, most users will use the default system mixer which should intelligently move the music from internal sound to the external sound card without skipping a beat. Plus, they want to be able to watch their YouTube video and such so everything should be mixed in. And when they get a VoIP call, it would use their speakers and micropones until the user plugs in their headset (USB based, or Bluetooth) at which point the OS should systematically route just the communications audio to the VoIP program to the headset, even while music or other thing is running, without skipping a beat.

All these require big monolithic blocks and completely destroy "the unix way" because there is no way solve the complexity of these operations without big monolithic services.

Re:It is worth what somebody will pay for it

I have yet to see anyone who can shift faster than an automatic transmission.

Re:It is worth what somebody will pay for it

[clarkn0va]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Re: It is worth what somebody will pay for it

[Bing+Tsher+E]

The 'non-server related hardware' Linux supports is out of date, too. Moving target, dude.

Re:It is worth what somebody will pay for it

[Bing+Tsher+E]

Defining the problem away only works for some use cases.

Gamers pay a lot extra for mice with lots of extra functions.

You're probably right that such a mouse is useless for Tux Racer.

Re:It is worth what somebody will pay for it

Tires matter more than the engine on wintry roads, and if it's that icy you need tire chains.

Re:It is worth what somebody will pay for it

[mink]

I own a gen 1 Prius (296K miles) and even when it was new the best way to improve mileage to near sticker (highway) was to use cruise control as much as possible.

Re:It is worth what somebody will pay for it

[geekmux]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Since you've kindly labeled this as a "ransom", please feel free to tell me how this is really that different from a bug bounty program.

You can label this "activity" any way you want. At the end of the day, it's Microsoft paying someone to help make their own damn product secure. One would think that would be worth it to them. The only real difference is Microsoft is being forced to pay more than a pathetic pittance for the solution.

Re:It is worth what somebody will pay for it

Yeah, cause the Logitech G600, Razor Naga and other gaming mice just don't exist... Only homebuilt psuedo-mice could possibly have more than one button in your world?

Re:It is worth what somebody will pay for it

[KingMotley]

Not much of an exaggeration. Mine has 19.

Re:It is worth what somebody will pay for it

Don't forget the smug factor.

Re:It is worth what somebody will pay for it

[negRo_slim]

It has no viruses in the wild despite the powerful high-bandwidth tempting targets that > 50% of all web servers would make.

I'm glad someone brought some humour into this discussion. Good show!

Re:It is worth what somebody will pay for it

Umm almost. If there *is* a buyer who will pay $90,000... not "if they think" -- the definition must be fact based, not just a projection.

Re: It is worth what somebody will pay for it

[haruchai]

Have you tried asking the vendor to write a driver? They wrote the ones for Windows, didn't they?

Re:It is worth what somebody will pay for it

[Lord+Crc]

Windows only works on toys.

Linux on desktop is a toy.

I use Windows on my desktop PC because I prefer to get shit done.

Re:It is worth what somebody will pay for it

[Githyanki]

Why not turn it in for the bug bounty, then sell it on market, then claim it didn't sell at higher price and relist it at a lower price, and repeat till people stop buying it.

Lots of profit this way!

Re: It is worth what somebody will pay for it

[Opportunist]

Yes. There is a market for that in Windows, ya know? Linux gaming is still a rather insignificant portion of the cake.

Re: It is worth what somebody will pay for it

http://www.alsa-project.org/main/index.php/Matrix:Module-virtuoso

Re:It is worth what somebody will pay for it

[HiThere]

Sorry, but that's not true. Microsoft is *A* villain. There are plenty of others. In fact, just about every group is a villain in some area. Apple is notorious for binding users to its hardware, and has been since the Apple ][ variable density disk drives. Google slurps up user information. Red Hat pushes systemd. Etc.

There are plenty of villains to go around. Microsoft is just an unusually wide spectrum villain. But they used to sell good keyboards.

Re:It is worth what somebody will pay for it

[HiThere]

I'd like to say "that's Greek to me", but I know it's Latin...Virgil if I recall correctly.

Re:It is worth what somebody will pay for it

[TeknoHog]

Learning Linux is like learning to drive a stick shift.

That's a nice comparison, because here in Finland everyone who learns to drive, does so with stick shift and clutch. Automatic transmissions are only used by disabled people. This is obviously why Linux comes from Finland and Windows comes from the USA.

Re:It is worth what somebody will pay for it

[Copid]

The difference between paying for this and paying a ransom is that paying a ransom encourages people to do damage that otherwise wouldn't have occurred. In this case, the bug clearly exists already (assuming this isn't fraud), so somebody is going to find it and use it sooner or later, even if this guy doesn't sell the exploit. If it's real, $90K sounds like a sweet deal for Microsoft. A serious incident involving an exploit like that would cause way more than $90K in damage, and it would cost a team of engineers way more than $90K to figure out what this bug is and fix it.

Re:It is worth what somebody will pay for it

The amount of substance in that comment is staggering.

Re:It is worth what somebody will pay for it

[mtxmorph]

Linux on desktop is a toy.

Is it now?

Hmm, then I must have been playing instead of working here in the office - it's been two years since I switched my laptop over. Thanks for letting me know; it's a good thing they haven't fired me.

Re:It is worth what somebody will pay for it

auto's have long since surpassed manual, so your analogy has been retired.
http://www.edmunds.com/fuel-economy/five-myths-about-stick-shifts.html

Re:It is worth what somebody will pay for it

You do realise that when manual cars are driven for efficiency readings there is a box in the vehicle telling the driver when to change gear? Once the vehicle is in the hands of the average Joe there's no more special box and hence efficiency is much worse than an auto.

Re:It is worth what somebody will pay for it

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

Actually, I think you're right, learning GNU/Linux is like learning to drive a stick-shift, but in your analogy you failed to mention that it's like learning to drive a stick-shift to avoid driving an automatic, which you can do with much less skill, but you're doing it wearing the anus of someone at Microsoft Corp. as an oxygen mask, as they continually shit in your face and laugh at you for being stupid enough to be using their shitty goddamned fucking useless crippled garbage shitware, just because you couldn't be troubled to learn to drive the metaphorical stick that is GNU/Linux.

That shitty taste in your mouth? That's Microsoft Corp., using your face as a toilet.

Don't forget to flush!

Re: It is worth what somebody will pay for it

[Opportunist]

One out of four. And it's from an AC. And it's something that I'd not really trust Joe Randomuser with.

But hey, it's a start. Out of curiosity, dear AC, how long did you search for it when you needed it?

Re:It is worth what somebody will pay for it

[Reziac]

Small potatoes. Did you see Tom Scott's emoji keyboard??!

https://www.youtube.com/watch?...

Re:It is worth what somebody will pay for it

I drive a 2016 Subaru BRZ. It is stickered at 24 city/30 highway. I've averaged 32.6 mpg since I got the car. My previous car was a 2000 Suzuki Esteem, stickered at 24/32. I averaged 32.5 mpg.

Windows 10, the most secure version of Windows

[LichtSpektren]

ever!

Re:Windows 10, the most secure version of Windows

[Opportunist]

That's about as good as being the best Aussie Rules Football player in the whole Vatican. I'd dare say it might even be the Pope.

Re: Windows 10, the most secure version of Windows

[Type44Q]

I'd say the priest have got the advantage if that's touch football...

Re: Windows 10, the most secure version of Windows

Exactly. They've had plenty of experience fondling balls.

Headline

[rossdee]

:All OS Versions On Sale For $90,000"

What OS versions reetail for $90,000 ?

Maybe some punctuation in the headline might help.

Re:Headline

No it's not needed: "Windows Zero-Day [That Is] Affecting All OS Versions [Is] On Sale For $90,000" You can skip certain words in headlines. AP guidelines.

Perspective

[Psicopatico]

You shouldn't worry about known exploits.
You should worry about unknown exploits.

Re: Perspective

Don't worry, be happy!

Re:Perspective

[Dr_Barnowl]

It's unknown though. It's just a known unknown instead of an unknown unknown.

Re:Perspective

[Opportunist]

I wouldn't know.

Well,it's too late!

Zero day?! Well, it's the FIRST of June! Hah! Zero came and went with no issue!

Geeze, you'd have to be real stupid to buy a zero day exploit on the first!

Re:Well,it's too late!

[omnichad]

Wrong zero. It's still -29 days until the Zeroth of July

Re:Well,it's too late!

[sexconker]

That's not how any of this works.

From TFA

Choice quote: "Many security firms point at Microsoft as the company with the best approaches to product security on the market today"

Hmmm...

(scary captcha again: intrude)

Re:From TFA

[NatasRevol]

Approaches, possibly.

Implementation, not fucking close.

Not overpriced at $90K

[xxxJonBoyxxx]

>> While security experts think the ($90K) zero-day may be overpriced

As a security expert and occasional entrepreneur, let me tell you why this isn't overpriced. Let's say you could deliver 10,000 phishing emails that lead to installation of $70/unlock ransomware screens, of which 50% of victims usually pay. That's $350K of revenue, minus costs of the initial phishing campaign ($5K-ish), bitcoin exchange fees (maybe $10K) and the $90K for your zero day. That leaves a profit of about $250K - not bad for a few days of work.

Re:Not overpriced at $90K

You need the user to run your code for this exploit to work.

If you get the user to run your code, you can already encrypt anything they have write access to, which is typically the stuff the user actually cares about.

So I doubt it will have any impact on ransomware infections.

Local elevation exploits are still useful, but not as useful for malware as it used to be.

Re:Not overpriced at $90K

It can be wrapped in any number of games and applications, and stuffed onto torrent sites, or even shiteware sites like cnet's. Every week a new mega-game is coming out, suckers are waiting. With the holiday season new CoD, BF, et al looming, millions will grab the latest without a thought.

Re:Not overpriced at $90K

Or, if you had a malware organization that can step up their game:

1: Buy the security exploit.
2: Use data dumps to do spear phishing exploits, pay the ad guys so your malicious Flash stuff drops payloads, etc.
3: Let your ransomware, which can spread via the domain and use domain admin rights to encrypt AD infrastructure (pull out the BitLocker recovery keys, encrypt them, change all user passwords), then lock all accounts except a guest account that displays info on where in the .onion to go with the BitCoins.
4: Must have "?????"
5: Profit. Rake in the bucks with little to no chance of reprisal, especially if in a country that doesn't like the US, and your ransomware doesn't affect machines of the home geographic region.

Re:Not overpriced at $90K

If a competitor is selling theirs for half the price, is yours still not overpriced because your buyer can still make a profit?

ALL Windows versions?

[U2xhc2hkb3QgU3Vja3M]

It works on Windows XP? Windows 98SE? Windows 3.11?

Re:ALL Windows versions?

[nullCRC]

just not Windows 2.0

Re:ALL Windows versions?

[Phydeaux]

Win 3.11 was an operating environment, so technically not the Win 3.x family. The real question is, will it work on WinME, because even officially authorized software was unable to work with it...

Re:ALL Windows versions?

[TeknoHog]

The real question is, will it work on WinME

I first read that as "Wine", and a good exploit should be portable in that way. Although I guess technically that would count as a mere operating environment.

Re:ALL Windows versions?

There's no such thing as Windows 2.0, retard. Everyone knows the first version was 3.1.

Re:ALL Windows versions?

Actually there Was a Windows 2.0 AND a Windows 1.0 (Released in 1985) it released as 1.0, 1.02, 1.03 and 1.04 and was supposed until 2001!

Microsoft could buy this

So they could force windows 10 upgrade way better!

MS Goes Black

[TFlan91]

If you thought gwx.exe was a bitch, just wait until MS gets their hands on this exploit!

"But... it was the Russians! They thought they could brick all US PC's by forcing Win10 upgrade!"

Not *all* Windows versions

[Junta]

exists in all OS [versions], starting from Windows 2000.

And people mock me for running NT4!

Re:Not *all* Windows versions

exists in all OS [versions], starting from Windows 2000.

And people mock me for running NT4!

Upgrade to Windows 10. It's before Windows 2000 so it must be safe.

Re:Not *all* Windows versions

We just mock you for running Windows at all.

Re:Not *all* Windows versions

At least the last time he saw a vagina in person wasn't when being birthed by his mom. You on the other hand...

Re:Not *all* Windows versions

Ahh, so the claim of M$ that Win10 had a different code base compared to all the previous versions is false.

Re:Not *all* Windows versions

[TemporalBeing]

Ahh, so the claim of M$ that Win10 had a different code base compared to all the previous versions is false.

When did they make that claim? Never that I'm aware of.

Historically, Microsoft had two code bases: Win9x line, and NT line. With WinME and WIn2k/XP, the two lines merged. Then between Win2k/XP and Win2k3/Vista, there was a major refactor of the codebase, removing cyclic dependencies, user-kernel-user dependencies (so it was only user->kernel, no kernel->user), reducing headers so you could actually include simple headers instead of the entire Windows API all the time, and more. Every version of Windows since Vista has been an incremental change building off of that refactor.

Re:Not *all* Windows versions

[Bing+Tsher+E]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Re:Not *all* Windows versions

[TemporalBeing]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

True, though I really didn't like XP's interface (eX-Professional - due to all the bubbles, etc - really made it seem childish to me). Between it and cost I jumped over to Linux for Desktop more quickly; though my employers stuck with Windows.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Kind of. Win9x/Me and Win2k were pretty close in many respects as far as usability went from a user perspective. The jump from that to the Linux DE's was pretty significant so yes it made it harder especially since XP brought a good bit of compatibility with software written for the 9x line so people could move easily from 9x/Me to XP.

I don't really recall much complaining about issues other than Microsoft doing things like rewriting boot records to use their boot loader (which stopped with Vista, but if I'm not mistaken started again with Win8 and SecureBoot), effectively making dual booting a real chore to install correctly, not to mention (which still happens) manufacturers putting in the BIOS/EFI/UEFI configurations only for Windows and skipping any alternative - making use of power management features extremely difficult, and typically leaving the Linux devs to ignore the BIOS/EFI/UEFI as much as possible.

Overall yes, the usability of Win2k and even WinXP was high enough that it did keep people on Windows longer, thereby depressing the numbers that would have migrated to a Linux DE. Even Vista and Win7 have done that. Win8 was blessing to Linux DE since its complicated tile-based interface (Metro, aka Modern) pushed people away; and Win10 (with metrics, etc) isn't really a complete solution to that (it did resolve the Metro issue, but introduced others).

Re:Not *all* Windows versions

[Desler]

They never made any such claim. So, yes, your strawman claim is false.

Re:Not *all* Windows versions

[CanadianMacFan]

Bah, you need to be running NT 3.5! After that they moved the video drivers into the kernel and you got a lot more blue screens of death.

priv esc

[Robert+Goatse]

So it's a privilege escalator not necessarily an exploit to initially get into a host. For a 'real' Windows exploit, 90K is super-duper cheap, but for something like this 90K may be a tad overpriced for what you get.

Re:priv esc

You are likely correct. However people do chain these together and take a remote code exploit (like a flash vulnerability or a Java one) and attach one of these elevation of privilege exploits to own the machine with a drive by attack. You typically need both to do something super interesting (like drop a root kit), although to encrypt user mode files you don't need the elevation of privilege.

Re:priv esc

It is not $90k for a privilege escalation exploit. Just to put this in context, Zerodium will pay up to $30k for working local privilege escalation exploits in Windows. I did not read anything about on their site about exclusivity although they state they pay more if the exploit lifespan meets certain requirements as well as will pay more in some instances. However, this guy is selling to the highest bidder and criminal enterprises are likely not excluded. It is $90k for exclusive rights to a privilege escalation exploit that bypasses EMET protections, works on all (modern?) Windows versions, comes with source code and a working demo, and I suspect is easily weaponized. He may not get $90k for it but I would be he easily gets a bid of $60k+.

FUD works both ways

Welcome to the New World, in which your OS is presumed guilty of being Vulnerable.. until proved Otherwise

In other words, your Insecure .. get over it

Slashvertisement

This is one of the more peculiar slashvertisement that I have seen.

Re:Slashvertisement

I want to buy one! I wonder if banks give windows-vulnerability-backed loans. Should I default on my loan, then the bank can repossess and auction the vulnerability by itself.

the free market

[Toonol]

If he can find a buyer, it's not overpriced. Items don't have an innate value; their worth is whatever someone is willing to pay at that moment.

true type

seems another "TrueType" exploit.

Scam?

[Roodvlees]

Can't he make much more money by selling it to Microsoft? It seems this is priced way too low.

Re:Scam?

if he 'sells' it to microsoft, microsoft would fix it. better to sell to a fellow hacker/crook so you can still use the exploit yourself.

Re:Scam?

MS already pushes any software they want to most computers running Windows. They would need this only if they wanted to force in their Windows10-malware to those machines which have turned the automatic updates off. But that might be too much even on the USA.

Re:Scam?

Did you put a picture of someones face in front of the camera?

Shameless krebs plug

Brian Krebs had an interesting observation about this video being published on patch day. This 0-day may be old now. If I was in the market, I'd ask for a new video with a fresh time stamp

Security experts, but not financial experts...

[Afty0r]

While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

So by definition they do not think it's overpriced.

Surprised it lasted this long

I figured Microsoft or the NSA would have dedicated people trolling these sites to buy the exploit as soon as it was available.

It's not like either entity is hurting for cash.

Just sayin'

It's guys like BuggiCorp that make it necessary to secretly tap internet backbones.

Why even care about privilege exploit?

Does most malware even need admin or SYSTEM access anymore? Once you have a malicious process running as the local user you can steal their data or encrypt it and extract money that way.

whew, I'm safe

>“ [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10. ”

Can't touch my Win98 SE machine!

All Windows OS versions on sale for $90,000

I didn't think that Windows was worth the $100 license, let alone $90,000.

oh, wait.

Re:in soviet russia we overprice you!

lame

Pfffft

[JustAnotherOldGuy]

That's nothing. I've got a zero-day bug called "Norton Anti-Virus" that pwns all versions of Windows and it's only $49.99.

Another Good Reason

Another good reason not to use Windows.

Whew!

[Barefoot+Monkey]

Windows Zero-Day Affecting All OS Versions On Sale For $90,000

Thankfully the OS version I'm using isn't on sale for $90,000 so it isn't affected by this zero-day.

Lock him up

He says he's a hacker, so he's guilty, so lock him up. It's the law!

People like him are why the law exists, in fact. LOCK HIM UP ALREADY.

Videos, you say?

[wonkey_monkey]

Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features

Videos, eh? Good job they can't be faked.

Re:in soviet russia we overprice you!

[RabidReindeer]

Ha! I'm waiting for the Bangalore version. $95.

Re: in soviet russia we overprice you!

Die windows...

WMF bug?

[TemporalBeing]

It keeps rearing its ugly head...did they reintroduce it again?

5 minutes later the buyer gets an NSL from the FBI

[schwit1]

Hand over the vulnerability and you are gagged.

NSA Will Buy It

[wasteoid]

The NSA will buy it, or some other Three-Letter-Acronym organization. And by "buy it" I mean abduct him, steal it, and dissolve him in a bathtub.

Re:NSA Will Buy It

[mnemotronic]

The NSA will buy it

If it doesn't sell immediately for any price then I suspect that either
1. It's bogus
or
2. The TLAs already have the vuln

Re:NSA Will Buy It

[ebvwfbw]

The NSA will buy it, or some other Three-Letter-Acronym organization. And by "buy it" I mean abduct him, steal it, and dissolve him in a bathtub.

That's funny. Watching breaking bad or something? State nations don't have to do something like that. They can make people disappear and never get found a lot cheaper than the bathtub trick.

Besides, they probably had the hack years ago.

Re:5 minutes later the buyer gets an NSL from the

[Gavagai80]

Somehow I doubt someone buying exploits on the black market is going to charge it to their mastercard and provide their address. Maybe to a victim's.

Is this a new one?

[dwywit]

Or is it the same old exploit?

Task scheduler - create task
Run as user SYSTEM
trigger - whenever
run cmd.exe or vbscript host with parameters/payload of choice
Profit!

There ya go. Saved you $90K

I use that one to kill anti-virus/anti-malware programs whenever I need to run combofix, because the programs have failed in their primary purpose. If anti-malware programs can't guarantee to stop attacks, they shouldn't be allowed to run in the SYSTEM context. Require a password or SMS code to stop them temporarily, sure, but don't run them in a context where they CAN'T be stopped by a user. Some of them can be suspended temporarily, but that's not enough sometimes.

Back in the NT days, you could even get a CMD window to pop up on the desktop, running in the SYSTEM account. That's how you could get access to the SAM hive of the registry. The passwords were still encrypted, but still......

Going cheap!

I can get you the same exploit, I will only sell it to 20 people, though the price will be mch lower at $20,000.

Re:5 minutes later the buyer gets an NSL from the

The FBI purchases a considerable number of these exploits for their own use. Ask me how I know. -PCP

Re:in soviet russia we overprice you!

[phrostie]

But GWX is free until July

Shouldn't Microshaft buy it?!

[monkeyzoo]

Shouldn't Microsoft buy this so they can patch it?!?!??!

How does the price compare to their bug bounty, if they have one? In any case, seems it would be good in the long-term for them to snatch it up before criminals do and in the long run would be better PR for Windows than having more hacking cases attributed to them. Or, maybe it's a bad precedent to set for them to pay more and pay outside the official bug bounty channels (again, if they have one)?