What's a Vista zero-day exploit worth? Try $50K

What's a Vista zero-day exploit worth? Try $50K

Summary: Trend Micro has stumbled upon an auction style marketplace where zero-day exploits for Microsoft's Vista operating system are going for $50,000.The marketplace, reported by eWeek's Ryan Naraine, illustrates that no matter how much Microsoft has beefed up Vista's security the bulls-eye remains on the company's back.

SHARE:
TOPICS: Security
8

Trend Micro has stumbled upon an auction style marketplace where zero-day exploits for Microsoft's Vista operating system are going for $50,000.

The marketplace, reported by eWeek's Ryan Naraine, illustrates that no matter how much Microsoft has beefed up Vista's security the bulls-eye remains on the company's back.

And the stakes are getting higher. Naraine reports:

"In an interview with eWEEK, Trend Micro's chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.

Bots and Trojan downloaders that typically hijack Windows machines for use in spam-spewing botnets were being sold for about $5,000, Genes said."

Using that formula as a template it would stand to reason that hackers could peddle their Word zero-day exploits for more than, say an Apple OSX hack. Financial motive goes along way to explaining why Microsoft is targeted so much (of course shoddy coding helps too).

In other words, there's a vicious Microsoft security cycle that's going to be damn near impossible to break. Microsoft has the most market share, it has the most popular software and hackers can get more money for exploits that do the most damage. Scary stuff. Once the consumer version of Vista hits the street we'll really get to see how Microsoft's security improvements will hold up.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • State the obvious! What is the real problem?

    MS just has to offer more money for pirates to hack OS X and Linux! $1,000,000 a day on offer, just rip into them. Bonuses for each day that it is not patched! What's $365M a year to MS?

    I think in all the MS slagging, the real culprits are ignored: malicious hackers. They are the CAUSE of the problem. Mistakes
    in architecture and programming is not what is CREATING the problem. They may just make it easier for the PROBLEM perpetrators to be effective. Rather like guns being available in general society: they make it easier for murderers and robbers, but they are not the CAUSE of robberies and murder. Until the CAUSES are addressed, almost all efforts will be playing catchup.

    These days of laying the blame at the feet of those most able to pay has distracted effort from trying to find out why some
    people want to destroy and focussed it on trying to reduce their effect. That is counter-productive and just perpetuates the expensive find-a-fault/litigation cycle. It has resulted in a whole security industry that essentially has no interest in
    ultimate CAUSES, because that would shoot themselves in the head.
    Patanjali
    • The real problem is "human greed".

      Good luck fixing that one.

      [i]"Mistakes in architecture and programming is not what is CREATING the problem."[/i]

      But they sure make it [u]easier[/u] for the unscrupulous people in the World to empty your bank account! These days, you don't even need to live in the same country as someone to rob them.
      Zogg
    • nice effort but wrong

      there will always be malicious hackers, much like there will always be poor coding. If we dont patch the crap on windows when aliens come down they will exploit us! we dont want that do we?!?!

      in a society of banned guns only the robbers and maniacs have them. In a society of legal guns, robbers maniacs and those that wish to protect themselves and others have them. Can you see the difference?
      usrhlp
    • RE: State the obvious! What is the real problem?

      > Mistakes in architecture and programming is not what is
      > CREATING the problem.

      With traditional burglary, we do both...hunt down the badguys AND lock the doors. So it's not a case of one or the other. We do both. In this case I suspect the most bang for our buck will be better locks, not tracking down some teenage hacker in Russia.

      As it stands now, the OS and applications are completely vulnerable, not just to hackers but also to poorly written code and novice users. So the most important change we can make is to simply apply hardware protection to these apps. Installing a new version of Word should be as simple as plugging in a physical ROM chip, very similar to those small USB drives that are so popular. Of course the user's files will still reside on disk and still be vulnerable (but to a lesser degree). So backups of user data will still be necessary. Let's face it, if your house burns down, no software OR hardware design will save those files.

      gary
      gdstark13
  • How well will the security hold?!

    It's like the story in the three little pigs first Microsoft made their OS out of straw Windows 98/95 then Windows 2000 and XP out of Wood and in each case the Hacker blew their house down and now they made Vista os out of bricks.

    What will happen when the Hacker comes down the Vista chiminey will he burn his ass like the Wolf or avoid his mistake or get
    inside a more clever way?!
    Kobashrer
    • The first thing the Wolf did to the brick house was...

      ... [b]try[/b] "huffing and puffing". We have yet to discover whether this will work.
      Zogg
  • A fool and his money are soon parted.

    Gee... the "Exploit" didn't work. I wan't my money back. What? I can't have it back? Dude, I'm going to call the cops on you for trying to sell me an exploi...errr... oh crap.
    mobrien_12@...
  • flawed engineering design

    Eventually everyone will be forced to conclude that you can't win a battle against software with software. You need to employ physical protection of the legitimate code...hardware write protection. Most apps should reside on easily removable ROM chips. The fact that applications which have essentially not changed in years are easily overwritten by the badguys, malfunctioning software, or dumb users firmly proves this point.

    It's time to utilize hardware in this battle...the level playing field is a bad design.

    gary
    gdstark13