Windows Zero-Day Affecting All OS Versions On Sale For $90,000

An anonymous reader writes: "A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM," writes Softpedia. The zero-day is up for sale on a Russian underground hacking forum, and is currently available for $90,000 -- after it was initially up for $95,000. The hacker is saying he'll sell the zero-day to one person only, who'll receive its source code and a working demo. Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features. While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

Its not over priced

[Anonymous Coward]

if some one will pay it.

Re:Its not over priced

[Opportunist]

Isn't it heartwarming how quickly those Commies embraced Capitalism?

Re:Its not over priced

[Falos]

Offering a $100 water bottle to someone dying in the desert is overpriced. You people are deliberately spreading this bullshit about "There's no such thing as 'overpriced' we can charge anything for anything".

Using the imaginary property racket to monopolize a $500 pill is overpriced. Oops, someone found a functional reprint and is giving it away, now your angry shareholders are gonna have you black bagged.

Re:Its not over priced

[sshir]

I'm not economist, but still, I think you are wrong. By saying "$100 water bottle to someone dying in the desert" you are intentionally conflating water's utility in that particular situation with water's _marginal_ utility and cost. Who knows how that particular bottle ended up in the desert, might be that the seller is dying from thirst himself, etc.
BTW, marginal utility (and marginal cost) of that vulnerability is exactly zero. Do you expect getting it for free?

And $500 pill might be an abuse of monopoly position, and might not be (e.g. massive R&D with small number of cases). And while government gives copyright protection it also has the power to rein on monopoly abuses. Blame your slow or corrupt or incompetent government for not slapping pharma's hand. Again - granted monopoly comes with price controls - pharma might self regulate if they wish but don't have to (they have shareholders to feed, risky R&D investments to make, etc).

Re:

[lsatenstein]

NSA. Homeland Security, and other goodguys (sic) will do a joint purchase

Re:

[Junta]

But the person said they are going to sell to *one* person. They don't want to sell to multiple people.

Re:

[NatasRevol]

He only wants one customer, so I'd say it doesn't matter.

Re:Its not over priced

[110010001000]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Re:Its not over priced

[JustAnotherOldGuy]

I totally trust the guy when he says he only will sell it to one customer. Why would he want to sell it to many customers? To get more money? Never!

Exactly. Russian hackers are known for their unfailing honesty and fair dealings in their business practices.

Re:Its not over priced

[Anonymous Coward]

Thank goodness Western hackers only do it for God and country

Re:

[pr0fessor]

That's about 6 million rubles is that enough to retire?

Re:

[JustAnotherOldGuy]

That's about 6 million rubles is that enough to retire?

No, not nearly enough unless you're already 75 years old, and maybe not even then. It works out to just under $90K ($89,413 according to google). You could live in style for a while but it's hardly retirement-level money.

Re:

[pr0fessor]

I have no idea how the cost of living differs I have friends in countries where $90k USD would be about the same to them as it is to me and some countries where it would be more, of course $90k is a lot more in kansas than new york and that's the same country.

Re:

[JustAnotherOldGuy]

I have no idea how the cost of living differs

It differs based on location and how old you are. No matter where you live you'll need more to retire at 50 than at 70, assuming you want to live to reach 80 (for example).

Re:Its not over priced

[110010001000]

You are right. People will never trust "BuggiCorp" again. And he can't change his handle, it is on his passport and his Mom would be upset too. Thanks for the tip.

Re:

[AlphaBro]

The first two points are valid. That last, not so much. A vulnerability can be patched at any moment, intentionally or not. This is especially true if live 'spoits are in play.

Shouldn't Microshaft buy it?!

[monkeyzoo]

Shouldn't Microsoft buy this so they can patch it?!?!??!

How does the price compare to their bug bounty, if they have one? In any case, seems it would be good in the long-term for them to snatch it up before criminals do and in the long run would be better PR for Windows than having more hacking cases attributed to them. Or, maybe it's a bad precedent to set for them to pay more and pay outside the official bug bounty channels (again, if they have one)?

It is worth what somebody will pay for it

[thue]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

Re:It is worth what somebody will pay for it

[Anonymous Coward]

I got Windows 10, including all its vulnerabilities, for free. No way is anyone paying $90K for just one of them.

Re:

[Anonymous Coward]

I just woke up one morning, and it was fucking there. I assume it was free, but I really don't know for sure. I just woke up the computer from sleep mode and there was Windows 10 staring back at me. On top of that, it had uninstalled 3 of my apps because it said they were not certified to work with Windows 10. It didn't even ask, it just nuked them. Luckily they were things that I almost never use, but that was wrong. Fuck Windows 10.

Re:It is worth what somebody will pay for it

[Dr_Barnowl]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

Re:

[bbelt16ag]

you don't even got to learn to use a clutch anymore, how hard can it be? C is C, .net is .net whats the damn big deal? move people move! Microsoft is the Villain, always has been always will be.

Re:

[Opportunist]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound t

Re:

[flyingfsck]

Yes, yes, Linux doesn't work on toys, but it works on everything else. Windows only works on toys.

Re:It is worth what somebody will pay for it

[Opportunist]

The problem is, most of the Joe Randomusers out there use their computer primarily as a toy.

What Joe wants is to look at his Facebook, read his mail, chat with friends and play some games. And that's it. Yes, we up here in our beautiful ivory tower, we might have some lofty ideas what our computers should or should not do, but that matters little to the 99% of Joes out there. They don't care about spyware in their OS. They don't care about only being allowed to install software from the walled garden (because that's all THEY want). And they don't give a shit that we rant and rave against it.

And neither do hardware makers. They care about sales numbers. If that means to offer locked down hardware that is to the liking of governments and corporations, they will offer locked down hardware. Not because they are "evil", because they hate free speech or because they don't want us to actually own the machines we pay for, but simply because that means more sales.

So yes, if you want freedom, you have to cater to that Joe out there who wants to play with his toys. Because we are few and the Joes are many. So we need those Joes that want their toys in our boat to get the hardware (and software) makers to do what we want.

Re:

[Lord Crc]

Windows only works on toys.

Linux on desktop is a toy.

I use Windows on my desktop PC because I prefer to get shit done.

Re: It is worth what somebody will pay for it

[Type44Q]

Notoriously most non-server related hardware.

You're years out of date.

Re:

[Opportunist]

Ok, then. Since I could not locate them and you're obviously far more knowledgeable, I'm really sure you could point me to the Linux drivers for the Asus Xonar Essence STX so I could actually use it for more than the built-in sound card on the mainboard (for which I also have no drivers, but then again, I don't use it, so...) and tell me how to make a Mad Catz R.A.T. 7 Gaming mouse work (not even talking about drivers for the special tidbits, I'd be happy if all my clicks were noticed already) in XWindow? A

Re:

[haruchai]

Have you tried asking the vendor to write a driver? They wrote the ones for Windows, didn't they?

Re:

[Opportunist]

Yes. There is a market for that in Windows, ya know? Linux gaming is still a rather insignificant portion of the cake.

Re:

[Opportunist]

One out of four. And it's from an AC. And it's something that I'd not really trust Joe Randomuser with.

But hey, it's a start. Out of curiosity, dear AC, how long did you search for it when you needed it?

Re:

[fahrbot-bot]

but there is little to no support for programmable mice (you know the kind, with the 20 buttons)

Twenty buttons on a mouse? At point, wouldn't it just be easier to mount an LED on the bottom of your keyboard and use *that* as your mouse?

Re:

[Opportunist]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Re:

[fahrbot-bot]

C'mon, you're not that aspie that you don't understand the concept of exaggerations.

Nope. I've just been around long enough to know how ridiculous some hardware can be and am not assuming you're joking. I'm *sure* someone out there actually has a mouse with 20 buttons on it -- probably that they custom built -- or will want one after reading your post. Just you wait. Someone is going to ask where you got it. :-)

Re:

[KingMotley]

Not much of an exaggeration. Mine has 19.

Re:

[Reziac]

Small potatoes. Did you see Tom Scott's emoji keyboard??!

https://www.youtube.com/watch?... [youtube.com]

Re:

[tlhIngan]

Sadly it ain't that easy. Yes, Linux has come a long way, but there are still a few areas where it is lacking. Notoriously most non-server related hardware.

Yes, you can get drivers for even the most esoteric RAID 6+0 controller you could imagine, but there is little to no support for programmable mice (you know the kind, with the 20 buttons), programmable flight sticks, hell, it's a gamble with most advanced audio cards whether you get any kind of support for the features that elevate them above the sound t

Re:

[Opportunist]

The problem is not just me. The problem is Joe who gets fed up with Windows and eventually gets off his butt and tries something else. Joe will invariably have hardware in his system that will not work well with Linux. Yes, it's a problem of the hardware manufacturers, but in the end, it's ours. Because Joe doesn't care WHY his hardware isn't supported, he cares THAT it isn't supported.

And I could think of quite a few games that refused to work for me in Linux. KSP being maybe the one that most people here

Re:

[flyingfsck]

No, Winston Churchill only said never 7 times in that speech, not 8.

Re:

[HiThere]

Sorry, but that's not true. Microsoft is *A* villain. There are plenty of others. In fact, just about every group is a villain in some area. Apple is notorious for binding users to its hardware, and has been since the Apple ][ variable density disk drives. Google slurps up user information. Red Hat pushes systemd. Etc.

There are plenty of villains to go around. Microsoft is just an unusually wide spectrum villain. But they used to sell good keyboards.

Re:It is worth what somebody will pay for it

[jo7hs2]

Actually, EPA mileage estimates usually come out slightly *higher* for automatics now. Just saying.

Re:

[thegarbz]

Also, it's easy as hell to beat the EPA estimates while still driving fast with most manuals I've driven.

Lol nice try. But not only are the EPA estimates gamed in a way that unless you drive downhill both ways you're not going to beat them, but manufacturers have in the past year come out of the woodworks showing how they themselves game the system to achieve even lower mileage than the car would in any ordinary situation.

Re:

[drinkypoo]

EPA can't drive stick. And, they drive slow as all hell in automatics. No one gets the EPA mileage in an automatic unless they drive like a total asshole on the road (total slow fuck).

I have no trouble getting the EPA estimated mileage in my 1997 Audi A8 Quattro, and that was back in the day when the EPA mileage estimates were invented from dreams and unicorn jism. It's got 230,000 miles on it, and still gets over 19 MPG combined. The window sticker estimate is 17/25; the 3.7 liter FWD model has an 18 combined estimate and I have the 4.2 liter AWD version. (The EPA has not published a combined mileage estimate for my vehicle.) And here's a couple on Fuelly [fuelly.com] getting over 21, they must be d

Re:

[David_Hart]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

More like a model-T where you have to set the gas, choke, and then hand crank it. Some distributions are more user friendly than others, but if you want to do anything more than web browsing and document editing it requires a steeper learning curve than learning how to drive a stick.

Re:

[olsmeister]

Also, nobody asks to borrow your car (computer) because they cannot operate it.

Re:

[thegarbz]

A few more skills, in exchange for more efficiency and better performance.

That is actually a very awesome and relevant comparison given that these days you get better efficiency and better performance out of a variety of the modern automatic transmissions and the only thing that stick shift drivers still have to boast about is more control over their engine.

Re:

[Mashiki]

Learning Linux is like learning to drive a stick shift.

A few more skills, in exchange for more efficiency and better performance.

The only downside is that for gaming in general, 'nix is pretty shitty. I know some idiot will go, blahblah,gaming,blahblah,nicheshit. Keep in mind that most of what people use 'nix for would also be considered niche shit. That's changing at last though, especially with vulkan and the number of developers that are on board with it vs DX12 and that all video card manufacturers are on board with it. With any luck it'll finally put the nail in the coffin of OpenGL and that giant clusterfuck it has yet to r

Re:

[TeknoHog]

Learning Linux is like learning to drive a stick shift.

That's a nice comparison, because here in Finland everyone who learns to drive, does so with stick shift and clutch. Automatic transmissions are only used by disabled people. This is obviously why Linux comes from Finland and Windows comes from the USA.

Re:

[Opportunist]

Windows. Proof of the "you get what you pay for" proverb.

Re:

[negRo_slim]

It has no viruses in the wild despite the powerful high-bandwidth tempting targets that > 50% of all web servers would make.

I'm glad someone brought some humour into this discussion. Good show!

Re:

[Opportunist]

Timeo Danaos et dona ferentes

And considering the gift mentioned in this quote was the Trojan Horse, I can't think of a better phrase describing how I feel about Windows 10.

Re:

[HiThere]

I'd like to say "that's Greek to me", but I know it's Latin...Virgil if I recall correctly.

Re:

[mrchaotica]

They failed to sell it at $95,000, so that amount was overpriced. Since it hasn't sold yet (or at least, Slashdot hasn't reported its sale yet), whether $90,000 is overpriced remains to be seen.

Re:

[ripvlan]

While I agree with your sentiment - something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

I suppose it depends upon how many bidders there are. If there are 20 people who might want to buy it - but only 1 buys it - then it might have been too high a price.

Years ago a friend told me - when discussing setting prices for a tag sale - go on eBay to determine the value of something. It is like a commodities market and shows

Re:

[b0bby]

something being overpriced means "I wouldn't pay that much" Just because some "idiot" would pay that much doesn't mean it was a fair price.

Well, that's the market - all you need is one "idiot" in this case. A "fair" price can be influenced by a lot of things, but a market price should be the highest price the market will bear.

Re:

[bondsbw]

In this case, due to supply vs. demand (where supply = 1) it is the same as literally the highest price anyone will pay for it.

Re:

[geekmux]

> While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

If they think there is a buyer who will pay $90,000 for it, then it is per definition not overpriced.

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

Re:

[JcMorin]

I tend to agree since the hacker said he will sold it only once, that seems to be a good deal for Microsoft.

Re:

[Flavianoep]

They must be trying to figure out what the vulnerability is, or if it actually exist at all.

Re:It is worth what somebody will pay for it

[clarkn0va]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Re:

[geekmux]

And if Microsoft themselves do not attempt to buy it, then they've shown how much they value their own product. Or the customer base. Or security in general.

Of course, we knew the latter already...

While I agree that MS cares nothing for security or their customers so long as they retain the ability to take people's money, there are good reasons for them not to pay this ransom. To do so would be to promote this type of black hat activity, and they have no substantial assurance that they will get what they paid for.

Since you've kindly labeled this as a "ransom", please feel free to tell me how this is really that different from a bug bounty program.

You can label this "activity" any way you want. At the end of the day, it's Microsoft paying someone to help make their own damn product secure. One would think that would be worth it to them. The only real difference is Microsoft is being forced to pay more than a pathetic pittance for the solution.

Re:

[Copid]

The difference between paying for this and paying a ransom is that paying a ransom encourages people to do damage that otherwise wouldn't have occurred. In this case, the bug clearly exists already (assuming this isn't fraud), so somebody is going to find it and use it sooner or later, even if this guy doesn't sell the exploit. If it's real, $90K sounds like a sweet deal for Microsoft. A serious incident involving an exploit like that would cause way more than $90K in damage, and it would cost a team of

Re:

[Minupla]

It can't be that good an exploit. M$ pays up to 100KUSD for bug bounties. If it was that good, they'd just sell it to M$, instead of discounting to 90K.

Expect it'll get discounted again before sale. Although they have to be happy about the PR, might help them get a sale.

Windows 10, the most secure version of Windows

[LichtSpektren]

ever!

Re:

[Opportunist]

That's about as good as being the best Aussie Rules Football player in the whole Vatican. I'd dare say it might even be the Pope.

Re: Windows 10, the most secure version of Windows

[Type44Q]

I'd say the priest have got the advantage if that's touch football...

Headline

[rossdee]

:All OS Versions On Sale For $90,000"

What OS versions reetail for $90,000 ?

Maybe some punctuation in the headline might help.

Perspective

[Psicopatico]

You shouldn't worry about known exploits.
You should worry about unknown exploits.

Re:

[Dr_Barnowl]

It's unknown though. It's just a known unknown instead of an unknown unknown.

Re:

[Opportunist]

I wouldn't know.

Not overpriced at $90K

[xxxJonBoyxxx]

>> While security experts think the ($90K) zero-day may be overpriced

As a security expert and occasional entrepreneur, let me tell you why this isn't overpriced. Let's say you could deliver 10,000 phishing emails that lead to installation of $70/unlock ransomware screens, of which 50% of victims usually pay. That's $350K of revenue, minus costs of the initial phishing campaign ($5K-ish), bitcoin exchange fees (maybe $10K) and the $90K for your zero day. That leaves a profit of about $250K - not bad for a few days of work.

Re:

[Anonymous Coward]

It can be wrapped in any number of games and applications, and stuffed onto torrent sites, or even shiteware sites like cnet's. Every week a new mega-game is coming out, suckers are waiting. With the holiday season new CoD, BF, et al looming, millions will grab the latest without a thought.

ALL Windows versions?

[U2xhc2hkb3QgU3Vja3M]

It works on Windows XP? Windows 98SE? Windows 3.11?

Re:

[nullCRC]

just not Windows 2.0

Re:

[Phydeaux]

Win 3.11 was an operating environment, so technically not the Win 3.x family. The real question is, will it work on WinME, because even officially authorized software was unable to work with it...

Re:

[TeknoHog]

The real question is, will it work on WinME

I first read that as "Wine", and a good exploit should be portable in that way. Although I guess technically that would count as a mere operating environment.

MS Goes Black

[TFlan91]

If you thought gwx.exe was a bitch, just wait until MS gets their hands on this exploit!

"But... it was the Russians! They thought they could brick all US PC's by forcing Win10 upgrade!"

Not *all* Windows versions

[Junta]

exists in all OS [versions], starting from Windows 2000.

And people mock me for running NT4!

Re:

[CanadianMacFan]

Bah, you need to be running NT 3.5! After that they moved the video drivers into the kernel and you got a lot more blue screens of death.

Re:

[TemporalBeing]

Ahh, so the claim of M$ that Win10 had a different code base compared to all the previous versions is false.

When did they make that claim? Never that I'm aware of.

Historically, Microsoft had two code bases: Win9x line, and NT line. With WinME and WIn2k/XP, the two lines merged. Then between Win2k/XP and Win2k3/Vista, there was a major refactor of the codebase, removing cyclic dependencies, user-kernel-user dependencies (so it was only user->kernel, no kernel->user), reducing headers so you could actually include simple headers instead of the entire Windows API all the time, and more. Every version of Win

Re:

[Bing Tsher E]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Re:

[TemporalBeing]

I would say that 'With WinME and Win2K the differences became pronounced' then the last desktop-consumer related missing features were rolled into WinXP.

True, though I really didn't like XP's interface (eX-Professional - due to all the bubbles, etc - really made it seem childish to me). Between it and cost I jumped over to Linux for Desktop more quickly; though my employers stuck with Windows.

The release of Win2K really set back Linux on the desktop. For a long time it was the better-than-linux option for the desktop. For years linux advocates carped and whined about 'Windows problems' that were bound to the old Win9x codebase, because they couldn't afford to compare desktop linux to W2k.

Kind of. Win9x/Me and Win2k were pretty close in many respects as far as usability went from a user perspective. The jump from that to the Linux DE's was pretty significant so yes it made it harder especially since XP brought a good bit of compatibility with software w

priv esc

[Robert Goatse]

So it's a privilege escalator not necessarily an exploit to initially get into a host. For a 'real' Windows exploit, 90K is super-duper cheap, but for something like this 90K may be a tad overpriced for what you get.

the free market

[Toonol]

If he can find a buyer, it's not overpriced. Items don't have an innate value; their worth is whatever someone is willing to pay at that moment.

Scam?

[Roodvlees]

Can't he make much more money by selling it to Microsoft? It seems this is priced way too low.

Security experts, but not financial experts...

[Afty0r]

While security experts think the zero-day may be overpriced, they think the hacker will find a buyer regardless.

So by definition they do not think it's overpriced.

Why even care about privilege exploit?

[Anonymous Coward]

Does most malware even need admin or SYSTEM access anymore? Once you have a malicious process running as the local user you can steal their data or encrypt it and extract money that way.

Pfffft

[JustAnotherOldGuy]

That's nothing. I've got a zero-day bug called "Norton Anti-Virus" that pwns all versions of Windows and it's only $49.99.

Whew!

[Barefoot Monkey]

Windows Zero-Day Affecting All OS Versions On Sale For $90,000

Thankfully the OS version I'm using isn't on sale for $90,000 so it isn't affected by this zero-day.

Videos, you say?

[wonkey_monkey]

Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features

Videos, eh? Good job they can't be faked.

WMF bug?

[TemporalBeing]

It keeps rearing its ugly head...did they reintroduce it again?

5 minutes later the buyer gets an NSL from the FBI

[schwit1]

Hand over the vulnerability and you are gagged.

Re:

[Gavagai80]

Somehow I doubt someone buying exploits on the black market is going to charge it to their mastercard and provide their address. Maybe to a victim's.

NSA Will Buy It

[wasteoid]

The NSA will buy it, or some other Three-Letter-Acronym organization. And by "buy it" I mean abduct him, steal it, and dissolve him in a bathtub.

Re:

[mnemotronic]

The NSA will buy it

If it doesn't sell immediately for any price then I suspect that either
1. It's bogus
or
2. The TLAs already have the vuln

Is this a new one?

[dwywit]

Or is it the same old exploit?

Task scheduler - create task
Run as user SYSTEM
trigger - whenever
run cmd.exe or vbscript host with parameters/payload of choice
Profit!

There ya go. Saved you $90K

I use that one to kill anti-virus/anti-malware programs whenever I need to run combofix, because the programs have failed in their primary purpose. If anti-malware programs can't guarantee to stop attacks, they shouldn't be allowed to run in the SYSTEM context. Require a password or SMS code to stop them temporarily, sur

Re:

[omnichad]

Wrong zero. It's still -29 days until the Zeroth of July

Re:

[sexconker]

That's not how any of this works.

Re:

[NatasRevol]

Approaches, possibly.

Implementation, not fucking close.

Re:

[RabidReindeer]

Ha! I'm waiting for the Bangalore version. $95.