Windows Zero-Day Affecting All OS Versions On Sale For $90,000 (softpedia.com)

← Back to Stories (view on slashdot.org)

Windows Zero-Day Affecting All OS Versions On Sale For $90,000 (softpedia.com)

Posted by BeauHD on Wednesday June 1, 2016 @01:00AM from the going-once-going-twice-sold dept.

An anonymous reader writes: "A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM," writes Softpedia. The zero-day is up for sale on a Russian underground hacking forum, and is currently available for $90,000 -- after it was initially up for $95,000. The hacker is saying he'll sell the zero-day to one person only, who'll receive its source code and a working demo. Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features. While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

28 of 187 comments (clear)

Min score:

Reason:

Sort:

Its not over priced by Anonymous Coward · 2016-06-01 01:05 · Score: 3, Insightful

if some one will pay it.
1. Re:Its not over priced by NatasRevol · 2016-06-01 01:51 · Score: 2
  
  He only wants one customer, so I'd say it doesn't matter.
  
  --
  There are two types of people in the world: Those who crave closure
2. Re:Its not over priced by 110010001000 · 2016-06-01 02:39 · Score: 3, Funny
  
  I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!
3. Re:Its not over priced by Opportunist · 2016-06-01 02:55 · Score: 5, Insightful
  
  Isn't it heartwarming how quickly those Commies embraced Capitalism?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Its not over priced by JustAnotherOldGuy · 2016-06-01 02:59 · Score: 4, Insightful
  
  I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!
  Exactly. Russian hackers are known for their unfailing honesty and fair dealings in their business practices.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
5. Re:Its not over priced by Anonymous Coward · 2016-06-01 03:06 · Score: 4, Funny
  
  Thank goodness Western hackers only do it for God and country
6. Re:Its not over priced by 110010001000 · 2016-06-01 03:17 · Score: 3, Funny
  
  You are right. People will never trust "BuggiCorp" again. And he can't change his handle, it is on his passport and his Mom would be upset too. Thanks for the tip.
7. Re:Its not over priced by Falos · 2016-06-01 04:28 · Score: 4, Insightful
  
  Offering a $100 water bottle to someone dying in the desert is overpriced. You people are deliberately spreading this bullshit about "There's no such thing as 'overpriced' we can charge anything for anything".
  
  Using the imaginary property racket to monopolize a $500 pill is overpriced. Oops, someone found a functional reprint and is giving it away, now your angry shareholders are gonna have you black bagged.
8. Re:Its not over priced by sshir · 2016-06-01 07:26 · Score: 3, Insightful
  
  I'm not economist, but still, I think you are wrong. By saying "$100 water bottle to someone dying in the desert" you are intentionally conflating water's utility in that particular situation with water's _marginal_ utility and cost. Who knows how that particular bottle ended up in the desert, might be that the seller is dying from thirst himself, etc.
  BTW, marginal utility (and marginal cost) of that vulnerability is exactly zero. Do you expect getting it for free?
  
  And $500 pill might be an abuse of monopoly position, and might not be (e.g. massive R&D with small number of cases). And while government gives copyright protection it also has the power to rein on monopoly abuses. Blame your slow or corrupt or incompetent government for not slapping pharma's hand. Again - granted monopoly comes with price controls - pharma might self regulate if they wish but don't have to (they have shareholders to feed, risky R&D investments to make, etc).
It is worth what somebody will pay for it by thue · 2016-06-01 01:07 · Score: 4, Insightful

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.
If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.
1. Re:It is worth what somebody will pay for it by Anonymous Coward · 2016-06-01 01:14 · Score: 5, Funny
  
  I got Windows 10, including all its vulnerabilities, for free. No way is anyone paying $90K for just one of them.
2. Re:It is worth what somebody will pay for it by geekmux · 2016-06-01 02:15 · Score: 2, Interesting
  
  > While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.
  If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.
  And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.
  Of course, we knew the latter already...
3. Re:It is worth what somebody will pay for it by Dr_Barnowl · 2016-06-01 02:35 · Score: 4, Interesting
  
  Learning Linux is like learning to drive a stick shift.
  A few more skills, in exchange for more efficiency and better performance.
4. Re:It is worth what somebody will pay for it by bbelt16ag · 2016-06-01 02:38 · Score: 2
  
  you don't even got to learn to use a clutch anymore, how hard can it be? C is C, .net is .net whats the damn big deal? move people move! Microsoft is the Villain, always has been always will be.
  
  --
  NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
5. Re:It is worth what somebody will pay for it by jo7hs2 · 2016-06-01 02:54 · Score: 3, Insightful
  
  Actually, EPA mileage estimates usually come out slightly *higher* for automatics now. Just saying.
6. Re:It is worth what somebody will pay for it by Opportunist · 2016-06-01 02:57 · Score: 2
  
  Timeo Danaos et dona ferentes
  And considering the gift mentioned in this quote was the Trojan Horse, I can't think of a better phrase describing how I feel about Windows 10.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:It is worth what somebody will pay for it by Opportunist · 2016-06-01 03:06 · Score: 2, Informative
  
  Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.
  Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound that you could get out of your mainboard and it's even nontrivial for people without a decent Linux background to get their graphics acceleration working. And even games that allegedly have Linux support usually mean that "it should run in Mono, right?"
  In other words, Linux on a server? Any time. And probably better supported and faster than what you'll get on Windows.
  Linux on the desktop? Not if gaming is your goal and/or nonstandard non-server hardware is what you'll be using. This is not necessarily the fault of Linux itself, more one of hardware manufacturer delivering zero to little support for their hardware for use in Linux. Which in turn is mostly due to most people buying their hardware for Windows and only installing Linux as an afterthought, only to find out that their Hardware is not working as it should, blame Linux and switch back.
  And no, I don't have a solution ready for this.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:It is worth what somebody will pay for it by olsmeister · 2016-06-01 03:41 · Score: 2
  
  Also, nobody asks to borrow your car (computer) because they cannot operate it.
9. Re:It is worth what somebody will pay for it by Opportunist · 2016-06-01 03:57 · Score: 5, Insightful
  
  The problem is, most of the Joe Randomusers out there use their computer primarily as a toy.
  What Joe wants is to look at his Facebook, read his mail, chat with friends and play some games. And that's it. Yes, we up here in our beautiful ivory tower, we might have some lofty ideas what our computers should or should not do, but that matters little to the 99% of Joes out there. They don't care about spyware in their OS. They don't care about only being allowed to install software from the walled garden (because that's all THEY want). And they don't give a shit that we rant and rave against it.
  And neither do hardware makers. They care about sales numbers. If that means to offer locked down hardware that is to the liking of governments and corporations, they will offer locked down hardware. Not because they are "evil", because they hate free speech or because they don't want us to actually own the machines we pay for, but simply because that means more sales.
  So yes, if you want freedom, you have to cater to that Joe out there who wants to play with his toys. Because we are few and the Joes are many. So we need those Joes that want their toys in our boat to get the hardware (and software) makers to do what we want.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:It is worth what somebody will pay for it by fahrbot-bot · 2016-06-01 04:36 · Score: 2
  
  but there is little to no support for programmable mice (you know the kind, with the 20 buttons)
  Twenty buttons on a mouse? At point, wouldn't it just be easier to mount an LED on the bottom of your keyboard and use *that* as your mouse?
  
  --
  It must have been something you assimilated. . . .
11. Re:It is worth what somebody will pay for it by clarkn0va · 2016-06-01 05:32 · Score: 3, Insightful
  
  And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.
  Of course, we knew the latter already...
  While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.
  
  --
  I am literally 3000 tokens away from the chaotic crossbow --Stephen
Not overpriced at $90K by xxxJonBoyxxx · 2016-06-01 01:15 · Score: 5, Interesting

>> While security experts think the ($90K) zero-day may be overpriced

As a security expert and occasional entrepreneur, let me tell you why this isn't overpriced. Let's say you could deliver 10,000 phishing emails that lead to installation of $70/unlock ransomware screens, of which 50% of victims usually pay. That's $350K of revenue, minus costs of the initial phishing campaign ($5K-ish), bitcoin exchange fees (maybe $10K) and the $90K for your zero day. That leaves a profit of about $250K - not bad for a few days of work.
Re:ALL Windows versions? by Phydeaux · 2016-06-01 01:22 · Score: 3, Informative

Win 3.11 was an operating environment, so technically not the Win 3.x family. The real question is, will it work on WinME, because even officially authorized software was unable to work with it...
priv esc by Robert+Goatse · 2016-06-01 01:22 · Score: 3, Interesting

So it's a privilege escalator not necessarily an exploit to initially get into a host. For a 'real' Windows exploit, 90K is super-duper cheap, but for something like this 90K may be a tad overpriced for what you get.
the free market by Toonol · 2016-06-01 01:33 · Score: 2

If he can find a buyer, it's not overpriced. Items don't have an innate value; their worth is whatever someone is willing to pay at that moment.
Pfffft by JustAnotherOldGuy · 2016-06-01 02:57 · Score: 4, Funny

That's nothing. I've got a zero-day bug called "Norton Anti-Virus" that pwns all versions of Windows and it's only $49.99.

--
Just cruising through this digital world at 33 1/3 rpm...
Re:Windows 10, the most secure version of Windows by Opportunist · 2016-06-01 03:09 · Score: 2

That's about as good as being the best Aussie Rules Football player in the whole Vatican. I'd dare say it might even be the Pope.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Not *all* Windows versions by Bing+Tsher+E · 2016-06-01 05:55 · Score: 2

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.
The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.