Zero-day vulnerabilities are nothing new in the tech world, but a currently undisclosed one is up for sale on a cyber-crime website. The seller claims this zero-day affects all versions of Windows including 10 and can even bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
Zero-day vulnerabilities are software flaws that allow attackers to take control of a system, and they’re called that because (usually) not even the software’s manufacturer knows about them. Such exploits are highly guarded, sold for a high price and occasionally stockpiled by cyber criminals and spy agencies, who use them to silently take control over devices.
That’s why seeing one such exploit being openly sold on the criminal market, for $90,000 no less, is a rare occurrence.
The flaw in question seems to be one that Microsoft is not aware of, or at least hasn’t patched yet. The seller, who goes by the screen name BuggiCorp, claims his exploit can be used on all existing versions of Windows, starting with Windows 2000, up to Windows 10. The person in question has also posted videos that seemingly show an up-to-date version of Windows 10 being exploited, meaning his vulnerability is still valid even after last month’ patches.
What’s even more worrying and/or impressive is that the exploit in question seems to be able to fully bypass Microsoft’s EMET suite.
Brian Krebs, a noted security researcher, believes this to be a credible exploit, but there’s a silver lining, as this particular zero-day only allows for an escalation of privilege on the target machine. In other words, the exploit would need to be paired with other vulnerabilities or malware before it can do real damage.
Krebs also notes that it’s interesting how the cyber-criminal selling this zero-day could potentially get more money directly from Microsoft. The company has a bug bounty program that regularly pays security researchers when they discover and report vulnerabilities, and Microsoft recently upped their rewards to $100,000 for a zero-day exploit that can fully bypass EMET.
In either case, the commoditization of zero-day vulnerabilities represents a worrying trend in a world where security and digital privacy are becoming ever more important.
Source: Krebs on Security