A Windows 10 zero-day exploit has been put on the market by Russian hackers, who are asking for $90,000 in exchange for the vulnerability. Security expert Brian Krebs of krebsonsecurtiy said that the exploit is “convincing” and the real deal, although it is not as dangerous as some other known bugs.
The vulnerability is, however, a previously undocumented exploit and it has the ability to target all versions of the Windows platform. The unknown nature of the bug is not a surprise considering the security community is usually in the dark on vulnerabilities until they are found in operation. These zero-day flaws are much sought after by the hacking community.
Krebs says the exploit may not be as potent as other types of attack, calling it a local privilege escalation (LPE) bug, although it could lead to wider problems.
“An LPE bug is often used in tandem with another vulnerability to run malicious code on a victim's PC, which can result in heightened severity for other exploits. For example, if a victim is logged on as an admin user, an LPE bug can be used to chain a remote exploit to the system if it requires admin access to work.”
The vulnerability is on sale in the Russian-based forum exploit.in, with user “BuggiCorp” cutting the price from $95,000 Bitcoin to $90,000 in Bitcoin. What is worrying about the exploit is that it can work on all versions of Windows from Windows 2000 to the latest Windows 10 builds.
Jeff Jones, a cybersecurity strategist with Microsoft, said the company was aware of the sale, but at the moment the validity of the exploit is unknown. Interestingly the company could purchase the vulnerability to stop it falling into the wrong hands, but Jones did not say whether that is something Redmond would consider.
However, Microsoft does employ a bounty program where it rewards security firms for reporting such vulnerabilities … Jones said it has paid out $500,000 so far.