Hacker offers Windows Zero-Day for sale on forum for $90,000
In a blog post, security researcher Brian Krebs describes a hacker going by the name “BuggiCorp” selling a Windows vulnerability for $90,000 on a forum for cybercriminals. The zero-day would also work on the latest version of Windows 10.
According to Krebs, the vulnerability is a so-called local privilege escalation, which is present in win32k.sys. This makes it possible for an attacker to switch, for example, from a user account to an administrator account with full privileges. The vulnerability can thus be used to execute malicious code on a target’s system. This form is not the most serious exploit, it generally takes the form of remote code execution, where malicious code can be executed remotely.
The vulnerability, according to the seller, would work on all versions of Windows up to the latest version of Windows 10. To illustrate this, a video is available that shows how on a Windows 10 machine with the patch level of May 10 an account obtained with more rights. This is despite the fact that EMET is enabled, which should be used to overcome vulnerabilities.
Jeff Jones, a security officer at Microsoft, told Krebs that the company is aware of the sale of the exploit, but that it has not yet been verified. When asked if buying the exploit itself had been considered, he replied that Microsoft has a bug bounty program, which rewards researchers who report vulnerabilities. The reward depends on the severity of the bug discovered, but the company has been paying $50,000 to $100,000 since last year to circumvent EMET, Krebs said.
It is therefore striking that the seller in question has chosen to offer the bug for sale for the equivalent of 86,500 euros via an internet forum, instead of reporting it to Microsoft. In addition, zero-days are usually not sold this way. A Trustwave researcher assumes the vulnerability is genuine because the seller has gone to great lengths to appear as a trusted party offering a genuine product. The video would provide additional evidence.
Forum members asked the seller if the vulnerability is the version that Microsoft patched on April 12. This vulnerability is known as cve-2106-0167 and is also a local privilege escalation. However, the seller replied that this is not the case and that his product concerns a different vulnerability.