Windows Zero-Day Affecting All OS Versions On Sale For $90,000

An anonymous reader writes: "A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM," writes Softpedia. The zero-day is up for sale on a Russian underground hacking forum, and is currently available for $90,000 -- after it was initially up for $95,000. The hacker is saying he'll sell the zero-day to one person only, who'll receive its source code and a working demo. Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features. While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

Its not over priced

if some one will pay it.

Re:Its not over priced

[Junta]

But the person said they are going to sell to *one* person. They don't want to sell to multiple people.

Re:Its not over priced

[NatasRevol]

He only wants one customer, so I'd say it doesn't matter.

Re:Its not over priced

[110010001000]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Re:Its not over priced

[Opportunist]

Isn't it heartwarming how quickly those Commies embraced Capitalism?

Re:Its not over priced

[JustAnotherOldGuy]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Exactly. Russian hackers are known for their unfailing honesty and fair dealings in their business practices.

Re:Its not over priced

Thank goodness Western hackers only do it for God and country

Re:Its not over priced

[110010001000]

You are right. People will never trust "BuggiCorp" again. And he can't change his handle, it is on his passport and his Mom would be upset too. Thanks for the tip.

Re:Its not over priced

[Falos]

Offering a $100 water bottle to someone dying in the desert is overpriced. You people are deliberately spreading this bullshit about "There's no such thing as 'overpriced' we can charge anything for anything".

Using the imaginary property racket to monopolize a $500 pill is overpriced. Oops, someone found a functional reprint and is giving it away, now your angry shareholders are gonna have you black bagged.

Re:Its not over priced

[pr0fessor]

That's about 6 million rubles is that enough to retire?

Re:Its not over priced

[AlphaBro]

The first two points are valid. That last, not so much. A vulnerability can be patched at any moment, intentionally or not. This is especially true if live 'spoits are in play.

Re:Its not over priced

[sshir]

I'm not economist, but still, I think you are wrong. By saying "$100 water bottle to someone dying in the desert" you are intentionally conflating water's utility in that particular situation with water's _marginal_ utility and cost. Who knows how that particular bottle ended up in the desert, might be that the seller is dying from thirst himself, etc.
BTW, marginal utility (and marginal cost) of that vulnerability is exactly zero. Do you expect getting it for free?

And $500 pill might be an abuse of monopoly position, and might not be (e.g. massive R&D with small number of cases). And while government gives copyright protection it also has the power to rein on monopoly abuses. Blame your slow or corrupt or incompetent government for not slapping pharma's hand. Again - granted monopoly comes with price controls - pharma might self regulate if they wish but don't have to (they have shareholders to feed, risky R&D investments to make, etc).

Re:Its not over priced

[JustAnotherOldGuy]

That's about 6 million rubles is that enough to retire?

No, not nearly enough unless you're already 75 years old, and maybe not even then. It works out to just under $90K ($89,413 according to google). You could live in style for a while but it's hardly retirement-level money.

Re:Its not over priced

[pr0fessor]

I have no idea how the cost of living differs I have friends in countries where $90k USD would be about the same to them as it is to me and some countries where it would be more, of course $90k is a lot more in kansas than new york and that's the same country.

Re:Its not over priced

[JustAnotherOldGuy]

I have no idea how the cost of living differs

It differs based on location and how old you are. No matter where you live you'll need more to retire at 50 than at 70, assuming you want to live to reach 80 (for example).

Re:Its not over priced

[FilatovEV]

That's about 6 million rubles is that enough to retire?

It's a not-too-much-qualified programmer's wage during 4 years, assuming a domestic Russian employer (a monthly wage of 120k roubles is what pretty much any guy can get doing programming in a Russian company). But a person that qualified always has the option to work for a Western company, in which case it's about a year's wage, give or take.

Re:Its not over priced

[FilatovEV]

Isn't it heartwarming how quickly those Commies embraced Capitalism?

It wouldn't harm to do a bit of reading to better appreciate the Russian culture since after the collapse of the Soviet Union. You could start with a popular 1997 sci-fi novel.

Basically there was wild Capitalism since 1991, and it's not fun.

Re:Its not over priced

[lsatenstein]

NSA. Homeland Security, and other goodguys (sic) will do a joint purchase

It is worth what somebody will pay for it

[thue]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

Re:It is worth what somebody will pay for it

I got Windows 10, including all its vulnerabilities, for free. No way is anyone paying $90K for just one of them.

Re:It is worth what somebody will pay for it

[mrchaotica]

They failed to sell it at $95,000, so that amount was overpriced. Since it hasn't sold yet (or at least, Slashdot hasn't reported its sale yet), whether $90,000 is overpriced remains to be seen.

Re:It is worth what somebody will pay for it

I just woke up one morning, and it was fucking there. I assume it was free, but I really don't know for sure. I just woke up the computer from sleep mode and there was Windows 10 staring back at me. On top of that, it had uninstalled 3 of my apps because it said they were not certified to work with Windows 10. It didn't even ask, it just nuked them. Luckily they were things that I almost never use, but that was wrong. Fuck Windows 10.

Re:It is worth what somebody will pay for it

[ripvlan]

While I agree with your sentiment - something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

I suppose it depends upon how many bidders there are. If there are 20 people who might want to buy it - but only 1 buys it - then it might have been too high a price.

Years ago a friend told me - when discussing setting prices for a tag sale - go on eBay to determine the value of something. It is like a commodities market and shows the price that the market will bear.

Re:It is worth what somebody will pay for it

[b0bby]

something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

Well, that's the market - all you need is one "idiot" in this case. A "fair" price can be influenced by a lot of things, but a market price should be the highest price the market will bear.

Re:It is worth what somebody will pay for it

[bondsbw]

In this case, due to supply vs. demand (where supply = 1) it is the same as literally the highest price anyone will pay for it.

Re:It is worth what somebody will pay for it

[geekmux]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

Re:It is worth what somebody will pay for it

[JcMorin]

I tend to agree since the hacker said he will sold it only once, that seems to be a good deal for Microsoft.

Re:It is worth what somebody will pay for it

[Flavianoep]

They must be trying to figure out what the vulnerability is, or if it actually exist at all.

Re:It is worth what somebody will pay for it

[Dr_Barnowl]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

Re:It is worth what somebody will pay for it

Windows. The cheapest, best option. If your time is worthless.

I used to say this about Linux, but it's become better than Windows.

Or you got a clue. That does tend to happen over time. Sometimes. Not all Linux users are noobs constantly making forum posts wondering why something doesn't work. Some of us know what we're doing. We set a thing up once and it continues to run smoothly while we do whatever it is we intended to do with the system.

    For the clueful it's always been better than Windows with the one exception of heavy gamers. Linux was rock solid stable back in the crashy Win 9x days, it has one hell of a lot less remotely exploitable vulnerabilities and plenty of ways to reduce your attack surface (don't run shit like Sendmail). It has no viruses in the wild despite the powerful high-bandwidth tempting targets that > 50% of all web servers would make. It has centralized package management instead of chaotically letting each application run its own updater like in Windows so it's easier to be sure things get patched. It also has options to mitigate threats like grsecurity, selinux, and building source with SSP.

It also comes with the bonus of not dealing with Microsoft, and avoiding all the baggage attached to that. I know some of you love to hate that reason - maybe you must deal with Windows at work so you have to rationalize it. That's understandable, but no reason to disregard the long hostile history of MS and no reason to ignore the wisdom of those who have witnessed it personally. Their new thing is using a "free" upgrade to spy on their own customers - that's just the latest in a long line of abuses, some illegal, most not, all hostile. Some of us got tired of saying "ouch ... more!" because we're not into electronic S&M.

Re:It is worth what somebody will pay for it

[bbelt16ag]

you don't even got to learn to use a clutch anymore, how hard can it be? C is C, .net is .net whats the damn big deal? move people move! Microsoft is the Villain, always has been always will be.

Re:It is worth what somebody will pay for it

[jo7hs2]

Actually, EPA mileage estimates usually come out slightly *higher* for automatics now. Just saying.

Re:It is worth what somebody will pay for it

[Opportunist]

Timeo Danaos et dona ferentes

And considering the gift mentioned in this quote was the Trojan Horse, I can't think of a better phrase describing how I feel about Windows 10.

Re:It is worth what somebody will pay for it

[Opportunist]

Windows. Proof of the "you get what you pay for" proverb.

Re:It is worth what somebody will pay for it

[Opportunist]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound that you could get out of your mainboard and it's even nontrivial for people without a decent Linux background to get their graphics acceleration working. And even games that allegedly have Linux support usually mean that "it should run in Mono, right?"

In other words, Linux on a server? Any time. And probably better supported and faster than what you'll get on Windows.

Linux on the desktop? Not if gaming is your goal and/or nonstandard non-server hardware is what you'll be using. This is not necessarily the fault of Linux itself, more one of hardware manufacturer delivering zero to little support for their hardware for use in Linux. Which in turn is mostly due to most people buying their hardware for Windows and only installing Linux as an afterthought, only to find out that their Hardware is not working as it should, blame Linux and switch back.

And no, I don't have a solution ready for this.

Re:It is worth what somebody will pay for it

They must be trying to figure out what the vulnerability is, or if it actually exist at all.

Or even Microsoft's billions aren't enough to keep playing whack-a-mole with all the vulnerabilities in Windows.

That or they don't want to be in a position of rewarding this kind of research. Some companies do have bug-bounties because they want to openly attract white-hats but I've never heard of MS doing that. MS probably just wants the whole thing to go away. It won't, but when you have a monopoly you can afford to pretend.

Re:It is worth what somebody will pay for it

[David_Hart]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

More like a model-T where you have to set the gas, choke, and then hand crank it. Some distributions are more user friendly than others, but if you want to do anything more than web browsing and document editing it requires a steeper learning curve than learning how to drive a stick.

Re:It is worth what somebody will pay for it

[Gr8Apes]

Windows. The cheapest, best option. If your time is worthless.

Linux has never been an option when your time is worthless. Anyone thinking that there is no time commitment when learning how to use a tool has a broken valuation standard - they're also ignoring all the time they have spent learning and fighting with the O.S. they are currently using.

This is what people don't understand. A LiveCD(DVD) will get you running on Linux with minimal fuss, much like the initial crappy windows install. Windows was alluring because it was simpler for many, and came pre-installed. Plus, Office ran on it. Office is now no longer as important (seriously, it isn't, you can live without it even in an Office oriented world) and the costs of keeping Windows running and not invading your privacy IMHO has now exceeded learning Mac OS or Linux. Hell, even learning how to build and install Gentoo might be simpler.

Now if you'll excuse me I'll go back to grumbling about systemd, GNOME 3.x and other real problems . . . except we can route around the damage.

Systemd is banned on any system I run. Any *service* that demands that POSIX compliant apps be rewritten to its non-POSIX standards is a massive FAIL. The sooner the various systemd pandering distros realize that, the better. Or maybe not. After all, NetBSD, or any BSD really, is rock solid and a better system in many ways. And no systemd there. :)

Re:It is worth what somebody will pay for it

[olsmeister]

Also, nobody asks to borrow your car (computer) because they cannot operate it.

Re:It is worth what somebody will pay for it

[flyingfsck]

No, Winston Churchill only said never 7 times in that speech, not 8.

Re:It is worth what somebody will pay for it

[flyingfsck]

Yes, yes, Linux doesn't work on toys, but it works on everything else. Windows only works on toys.

Re:It is worth what somebody will pay for it

[Opportunist]

The problem is, most of the Joe Randomusers out there use their computer primarily as a toy.

What Joe wants is to look at his Facebook, read his mail, chat with friends and play some games. And that's it. Yes, we up here in our beautiful ivory tower, we might have some lofty ideas what our computers should or should not do, but that matters little to the 99% of Joes out there. They don't care about spyware in their OS. They don't care about only being allowed to install software from the walled garden (because that's all THEY want). And they don't give a shit that we rant and rave against it.

And neither do hardware makers. They care about sales numbers. If that means to offer locked down hardware that is to the liking of governments and corporations, they will offer locked down hardware. Not because they are "evil", because they hate free speech or because they don't want us to actually own the machines we pay for, but simply because that means more sales.

So yes, if you want freedom, you have to cater to that Joe out there who wants to play with his toys. Because we are few and the Joes are many. So we need those Joes that want their toys in our boat to get the hardware (and software) makers to do what we want.

Re: It is worth what somebody will pay for it

[Type44Q]

Notoriously most non-server related hardware.

You're years out of date.

Re:It is worth what somebody will pay for it

It's an estimate. It's probably a good one too- most stick drivers aren't going for efficiency all the time, and automatics have gotten smarter at this than in the past. But if you drive a manual for gas mileage, you'll beat the robot still, for sure.

Re:It is worth what somebody will pay for it

[Opportunist]

The problem is not just me. The problem is Joe who gets fed up with Windows and eventually gets off his butt and tries something else. Joe will invariably have hardware in his system that will not work well with Linux. Yes, it's a problem of the hardware manufacturers, but in the end, it's ours. Because Joe doesn't care WHY his hardware isn't supported, he cares THAT it isn't supported.

And I could think of quite a few games that refused to work for me in Linux. KSP being maybe the one that most people here would know best.

Re:It is worth what somebody will pay for it

[thegarbz]

A few more skills, in exchange for more efficiency and better performance.

That is actually a very awesome and relevant comparison given that these days you get better efficiency and better performance out of a variety of the modern automatic transmissions and the only thing that stick shift drivers still have to boast about is more control over their engine.

Re:It is worth what somebody will pay for it

[fahrbot-bot]

but there is little to no support for programmable mice (you know the kind, with the 20 buttons)

Twenty buttons on a mouse? At point, wouldn't it just be easier to mount an LED on the bottom of your keyboard and use *that* as your mouse?

Re: It is worth what somebody will pay for it

[Opportunist]

Ok, then. Since I could not locate them and you're obviously far more knowledgeable, I'm really sure you could point me to the Linux drivers for the Asus Xonar Essence STX so I could actually use it for more than the built-in sound card on the mainboard (for which I also have no drivers, but then again, I don't use it, so...) and tell me how to make a Mad Catz R.A.T. 7 Gaming mouse work (not even talking about drivers for the special tidbits, I'd be happy if all my clicks were noticed already) in XWindow? And while you're at it, please point me to the Linux version of the configuration tool for the Thrustmaster Warthog HOTAS. And please point me to the Linux drivers for the USB soundcard that comes with the Sennheiser D363 headset, that would be great.

Thank you!

Re:It is worth what somebody will pay for it

[Minupla]

It can't be that good an exploit. M$ pays up to 100KUSD for bug bounties. If it was that good, they'd just sell it to M$, instead of discounting to 90K.

Expect it'll get discounted again before sale. Although they have to be happy about the PR, might help them get a sale.

Re:It is worth what somebody will pay for it

[thegarbz]

Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Lol nice try. But not only are the EPA estimates gamed in a way that unless you drive downhill both ways you're not going to beat them, but manufacturers have in the past year come out of the woodworks showing how they themselves game the system to achieve even lower mileage than the car would in any ordinary situation.

Re:It is worth what somebody will pay for it

[Opportunist]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Re:It is worth what somebody will pay for it

[Mashiki]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

The only downside is that for gaming in general, 'nix is pretty shitty. I know some idiot will go, blahblah,gaming,blahblah,nicheshit. Keep in mind that most of what people use 'nix for would also be considered niche shit. That's changing at last though, especially with vulkan and the number of developers that are on board with it vs DX12 and that all video card manufacturers are on board with it. With any luck it'll finally put the nail in the coffin of OpenGL and that giant clusterfuck it has yet to recover from back ~5 years ago. They get it worked out, and we'll finally see "year of the 'nix desktop" ... finally... after almost 20 years of people claiming it so.

Re:It is worth what somebody will pay for it

[fahrbot-bot]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Nope. I've just been around long enough to know how ridiculous some hardware can be and am not assuming you're joking. I'm *sure* someone out there actually has a mouse with 20 buttons on it -- probably that they custom built -- or will want one after reading your post. Just you wait. Someone is going to ask where you got it. :-)

Re:It is worth what somebody will pay for it

[drinkypoo]

EPA can't drive stick. And, they drive slow as all hell in automatics. No one gets the EPA mileage in an automatic unless they drive like a total asshole on the road (total slow fuck).

I have no trouble getting the EPA estimated mileage in my 1997 Audi A8 Quattro, and that was back in the day when the EPA mileage estimates were invented from dreams and unicorn jism. It's got 230,000 miles on it, and still gets over 19 MPG combined. The window sticker estimate is 17/25; the 3.7 liter FWD model has an 18 combined estimate and I have the 4.2 liter AWD version. (The EPA has not published a combined mileage estimate for my vehicle.) And here's a couple on Fuelly getting over 21, they must be doing pretty much all-highway. And I make pretty good time, I don't hesitate to pass, etc. I just don't waste fuel. Enjoying it isn't wasting it, but if you're on the brakes all the time, that is. And mind you, it has a fairly old-school automatic... clutch packs and not bands, but still triple-planetary.

Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Most people don't downshift soon enough on flat, and/or downshift too soon on a hill, and they fail to get good mileage.

Re:It is worth what somebody will pay for it

[tlhIngan]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound that you could get out of your mainboard and it's even nontrivial for people without a decent Linux background to get their graphics acceleration working. And even games that allegedly have Linux support usually mean that "it should run in Mono, right?"

In other words, Linux on a server? Any time. And probably better supported and faster than what you'll get on Windows.

Linux on the desktop? Not if gaming is your goal and/or nonstandard non-server hardware is what you'll be using. This is not necessarily the fault of Linux itself, more one of hardware manufacturer delivering zero to little support for their hardware for use in Linux. Which in turn is mostly due to most people buying their hardware for Windows and only installing Linux as an afterthought, only to find out that their Hardware is not working as it should, blame Linux and switch back.

And no, I don't have a solution ready for this.

It's not the esoteric hardware that's the problem, it's the whole Linux development philosophy needs to change for Linux on the desktop.

Server use cases are completely different from desktop use cases, and much conflict has occurred over stuff to get Linux on the desktop.

Things like NetworkManager, PulseAudio, SystemD are required on the desktop because they enable operations that users expect from a decent desktop OS. And yet if you listen to the Linux communities at large, you'd think each one was the devil for being large, monolithic and completely "not Unix".

And that's ignoring the need to standardize on a desktop environment.

NetworkManager is completely necessary even though it doesn't seem to do much - because mobile computers will connect to multiple networks with multiple requirements all the time - /etc/network/interfaces was just not designed to handle scenarios where WiFi may attach to a home network, a work network, and multiple public networks, each with a varying configuration of static/dynamic IPs, firewall, VPN, and other settings. Heck, most OSes note the MAC address of the gateway router to figure out what network they're on to make life easier (i.e., if the gateway is the one you marked "Home", then the network manager stack will configure the network for your home).

PulseAudio is another one, something necessary because sound cards will appear and disappear constantly. (I.e., stuff like Bluetooth headsets, USB DACs, etc). Again, in a mobile use case, a user may dock their PC which has a USB DAC associated with it, and the moment they do, audio should seamlessly switch to it. (Granted, some application can use "exclusive" mode and they may need restarting in order to associate with the proper hardware. But in the general use case, most users will use the default system mixer which should intelligently move the music from internal sound to the external sound card without skipping a beat. Plus, they want to be able to watch their YouTube video and such so everything should be mixed in. And when they get a VoIP call, it would use their speakers and micropones until the user plugs in their headset (USB based, or Bluetooth) at which point the OS should systematically route just the communications audio to the VoIP program to the headset, even while music or other thing is running, without skipping a beat.

All these require big monolithic blocks and completely destroy "the unix way" because there is no way solve the complexity of these operations without big monolithic services.

Re:It is worth what somebody will pay for it

[clarkn0va]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Re: It is worth what somebody will pay for it

[Bing+Tsher+E]

The 'non-server related hardware' Linux supports is out of date, too. Moving target, dude.

Re:It is worth what somebody will pay for it

[mink]

I own a gen 1 Prius (296K miles) and even when it was new the best way to improve mileage to near sticker (highway) was to use cruise control as much as possible.

Re:It is worth what somebody will pay for it

[geekmux]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Since you've kindly labeled this as a "ransom", please feel free to tell me how this is really that different from a bug bounty program.

You can label this "activity" any way you want. At the end of the day, it's Microsoft paying someone to help make their own damn product secure. One would think that would be worth it to them. The only real difference is Microsoft is being forced to pay more than a pathetic pittance for the solution.

Re:It is worth what somebody will pay for it

[KingMotley]

Not much of an exaggeration. Mine has 19.

Re:It is worth what somebody will pay for it

[negRo_slim]

It has no viruses in the wild despite the powerful high-bandwidth tempting targets that > 50% of all web servers would make.

I'm glad someone brought some humour into this discussion. Good show!

Re: It is worth what somebody will pay for it

[haruchai]

Have you tried asking the vendor to write a driver? They wrote the ones for Windows, didn't they?

Re:It is worth what somebody will pay for it

[Lord+Crc]

Windows only works on toys.

Linux on desktop is a toy.

I use Windows on my desktop PC because I prefer to get shit done.

Re: It is worth what somebody will pay for it

[Opportunist]

Yes. There is a market for that in Windows, ya know? Linux gaming is still a rather insignificant portion of the cake.

Re:It is worth what somebody will pay for it

[HiThere]

Sorry, but that's not true. Microsoft is *A* villain. There are plenty of others. In fact, just about every group is a villain in some area. Apple is notorious for binding users to its hardware, and has been since the Apple ][ variable density disk drives. Google slurps up user information. Red Hat pushes systemd. Etc.

There are plenty of villains to go around. Microsoft is just an unusually wide spectrum villain. But they used to sell good keyboards.

Re:It is worth what somebody will pay for it

[HiThere]

I'd like to say "that's Greek to me", but I know it's Latin...Virgil if I recall correctly.

Re:It is worth what somebody will pay for it

[TeknoHog]

Learning Linux is like learning to drive a stick shift.

That's a nice comparison, because here in Finland everyone who learns to drive, does so with stick shift and clutch. Automatic transmissions are only used by disabled people. This is obviously why Linux comes from Finland and Windows comes from the USA.

Re:It is worth what somebody will pay for it

[Copid]

The difference between paying for this and paying a ransom is that paying a ransom encourages people to do damage that otherwise wouldn't have occurred. In this case, the bug clearly exists already (assuming this isn't fraud), so somebody is going to find it and use it sooner or later, even if this guy doesn't sell the exploit. If it's real, $90K sounds like a sweet deal for Microsoft. A serious incident involving an exploit like that would cause way more than $90K in damage, and it would cost a team of engineers way more than $90K to figure out what this bug is and fix it.

Re:It is worth what somebody will pay for it

[mtxmorph]

Linux on desktop is a toy.

Is it now?

Hmm, then I must have been playing instead of working here in the office - it's been two years since I switched my laptop over. Thanks for letting me know; it's a good thing they haven't fired me.

Re: It is worth what somebody will pay for it

[Opportunist]

One out of four. And it's from an AC. And it's something that I'd not really trust Joe Randomuser with.

But hey, it's a start. Out of curiosity, dear AC, how long did you search for it when you needed it?

Re:It is worth what somebody will pay for it

[Reziac]

Small potatoes. Did you see Tom Scott's emoji keyboard??!

https://www.youtube.com/watch?...

Headline

[rossdee]

:All OS Versions On Sale For $90,000"

What OS versions reetail for $90,000 ?

Maybe some punctuation in the headline might help.

Perspective

[Psicopatico]

You shouldn't worry about known exploits.
You should worry about unknown exploits.

Re:Perspective

[Dr_Barnowl]

It's unknown though. It's just a known unknown instead of an unknown unknown.

Re:Perspective

[Opportunist]

I wouldn't know.

Not overpriced at $90K

[xxxJonBoyxxx]

>> While security experts think the ($90K) zero-day may be overpriced

As a security expert and occasional entrepreneur, let me tell you why this isn't overpriced. Let's say you could deliver 10,000 phishing emails that lead to installation of $70/unlock ransomware screens, of which 50% of victims usually pay. That's $350K of revenue, minus costs of the initial phishing campaign ($5K-ish), bitcoin exchange fees (maybe $10K) and the $90K for your zero day. That leaves a profit of about $250K - not bad for a few days of work.

Re:Not overpriced at $90K

It can be wrapped in any number of games and applications, and stuffed onto torrent sites, or even shiteware sites like cnet's. Every week a new mega-game is coming out, suckers are waiting. With the holiday season new CoD, BF, et al looming, millions will grab the latest without a thought.

Re:Not overpriced at $90K

If a competitor is selling theirs for half the price, is yours still not overpriced because your buyer can still make a profit?

ALL Windows versions?

[U2xhc2hkb3QgU3Vja3M]

It works on Windows XP? Windows 98SE? Windows 3.11?

Re:ALL Windows versions?

[nullCRC]

just not Windows 2.0

Re:ALL Windows versions?

[Phydeaux]

Win 3.11 was an operating environment, so technically not the Win 3.x family. The real question is, will it work on WinME, because even officially authorized software was unable to work with it...

Re:ALL Windows versions?

[TeknoHog]

The real question is, will it work on WinME

I first read that as "Wine", and a good exploit should be portable in that way. Although I guess technically that would count as a mere operating environment.

MS Goes Black

[TFlan91]

If you thought gwx.exe was a bitch, just wait until MS gets their hands on this exploit!

"But... it was the Russians! They thought they could brick all US PC's by forcing Win10 upgrade!"

Not *all* Windows versions

[Junta]

exists in all OS [versions], starting from Windows 2000.

And people mock me for running NT4!

Re:Not *all* Windows versions

At least the last time he saw a vagina in person wasn't when being birthed by his mom. You on the other hand...

Re:Not *all* Windows versions

[TemporalBeing]

Ahh, so the claim of M$ that Win10 had a different code base compared to all the previous versions is false.

When did they make that claim? Never that I'm aware of.

Historically, Microsoft had two code bases: Win9x line, and NT line. With WinME and WIn2k/XP, the two lines merged. Then between Win2k/XP and Win2k3/Vista, there was a major refactor of the codebase, removing cyclic dependencies, user-kernel-user dependencies (so it was only user->kernel, no kernel->user), reducing headers so you could actually include simple headers instead of the entire Windows API all the time, and more. Every version of Windows since Vista has been an incremental change building off of that refactor.

Re:Not *all* Windows versions

[Bing+Tsher+E]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Re:Not *all* Windows versions

[TemporalBeing]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

True, though I really didn't like XP's interface (eX-Professional - due to all the bubbles, etc - really made it seem childish to me). Between it and cost I jumped over to Linux for Desktop more quickly; though my employers stuck with Windows.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Kind of. Win9x/Me and Win2k were pretty close in many respects as far as usability went from a user perspective. The jump from that to the Linux DE's was pretty significant so yes it made it harder especially since XP brought a good bit of compatibility with software written for the 9x line so people could move easily from 9x/Me to XP.

I don't really recall much complaining about issues other than Microsoft doing things like rewriting boot records to use their boot loader (which stopped with Vista, but if I'm not mistaken started again with Win8 and SecureBoot), effectively making dual booting a real chore to install correctly, not to mention (which still happens) manufacturers putting in the BIOS/EFI/UEFI configurations only for Windows and skipping any alternative - making use of power management features extremely difficult, and typically leaving the Linux devs to ignore the BIOS/EFI/UEFI as much as possible.

Overall yes, the usability of Win2k and even WinXP was high enough that it did keep people on Windows longer, thereby depressing the numbers that would have migrated to a Linux DE. Even Vista and Win7 have done that. Win8 was blessing to Linux DE since its complicated tile-based interface (Metro, aka Modern) pushed people away; and Win10 (with metrics, etc) isn't really a complete solution to that (it did resolve the Metro issue, but introduced others).

Re:Not *all* Windows versions

[Desler]

They never made any such claim. So, yes, your strawman claim is false.

Re:Not *all* Windows versions

[CanadianMacFan]

Bah, you need to be running NT 3.5! After that they moved the video drivers into the kernel and you got a lot more blue screens of death.

priv esc

[Robert+Goatse]

So it's a privilege escalator not necessarily an exploit to initially get into a host. For a 'real' Windows exploit, 90K is super-duper cheap, but for something like this 90K may be a tad overpriced for what you get.

Re:Well,it's too late!

[omnichad]

Wrong zero. It's still -29 days until the Zeroth of July

the free market

[Toonol]

If he can find a buyer, it's not overpriced. Items don't have an innate value; their worth is whatever someone is willing to pay at that moment.

Scam?

[Roodvlees]

Can't he make much more money by selling it to Microsoft? It seems this is priced way too low.

Re:From TFA

[NatasRevol]

Approaches, possibly.

Implementation, not fucking close.

Security experts, but not financial experts...

[Afty0r]

While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

So by definition they do not think it's overpriced.

Why even care about privilege exploit?

Does most malware even need admin or SYSTEM access anymore? Once you have a malicious process running as the local user you can steal their data or encrypt it and extract money that way.

Pfffft

[JustAnotherOldGuy]

That's nothing. I've got a zero-day bug called "Norton Anti-Virus" that pwns all versions of Windows and it's only $49.99.

Another Good Reason

Another good reason not to use Windows.

Whew!

[Barefoot+Monkey]

Windows Zero-Day Affecting All OS Versions On Sale For $90,000

Thankfully the OS version I'm using isn't on sale for $90,000 so it isn't affected by this zero-day.

Re:Windows 10, the most secure version of Windows

[Opportunist]

That's about as good as being the best Aussie Rules Football player in the whole Vatican. I'd dare say it might even be the Pope.

Videos, you say?

[wonkey_monkey]

Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features

Videos, eh? Good job they can't be faked.

Re:in soviet russia we overprice you!

[RabidReindeer]

Ha! I'm waiting for the Bangalore version. $95.

WMF bug?

[TemporalBeing]

It keeps rearing its ugly head...did they reintroduce it again?

Re: Windows 10, the most secure version of Windows

[Type44Q]

I'd say the priest have got the advantage if that's touch football...

5 minutes later the buyer gets an NSL from the FBI

[schwit1]

Hand over the vulnerability and you are gagged.

Re:Well,it's too late!

[sexconker]

That's not how any of this works.

NSA Will Buy It

[wasteoid]

The NSA will buy it, or some other Three-Letter-Acronym organization. And by "buy it" I mean abduct him, steal it, and dissolve him in a bathtub.

Re:NSA Will Buy It

[mnemotronic]

The NSA will buy it

If it doesn't sell immediately for any price then I suspect that either
1. It's bogus
or
2. The TLAs already have the vuln

Re:NSA Will Buy It

[ebvwfbw]

The NSA will buy it, or some other Three-Letter-Acronym organization. And by "buy it" I mean abduct him, steal it, and dissolve him in a bathtub.

That's funny. Watching breaking bad or something? State nations don't have to do something like that. They can make people disappear and never get found a lot cheaper than the bathtub trick.

Besides, they probably had the hack years ago.

Re:5 minutes later the buyer gets an NSL from the

[Gavagai80]

Somehow I doubt someone buying exploits on the black market is going to charge it to their mastercard and provide their address. Maybe to a victim's.

Is this a new one?

[dwywit]

Or is it the same old exploit?

Task scheduler - create task
Run as user SYSTEM
trigger - whenever
run cmd.exe or vbscript host with parameters/payload of choice
Profit!

There ya go. Saved you $90K

I use that one to kill anti-virus/anti-malware programs whenever I need to run combofix, because the programs have failed in their primary purpose. If anti-malware programs can't guarantee to stop attacks, they shouldn't be allowed to run in the SYSTEM context. Require a password or SMS code to stop them temporarily, sure, but don't run them in a context where they CAN'T be stopped by a user. Some of them can be suspended temporarily, but that's not enough sometimes.

Back in the NT days, you could even get a CMD window to pop up on the desktop, running in the SYSTEM account. That's how you could get access to the SAM hive of the registry. The passwords were still encrypted, but still......

Re:in soviet russia we overprice you!

[phrostie]

But GWX is free until July

Shouldn't Microshaft buy it?!

[monkeyzoo]

Shouldn't Microsoft buy this so they can patch it?!?!??!

How does the price compare to their bug bounty, if they have one? In any case, seems it would be good in the long-term for them to snatch it up before criminals do and in the long run would be better PR for Windows than having more hacking cases attributed to them. Or, maybe it's a bad precedent to set for them to pay more and pay outside the official bug bounty channels (again, if they have one)?