Russian hackers are selling a zero-day vulnerability for $90,000 which allegedly works against many different evolutions of the Microsoft Windows operating system.
The exploit is on sale in the Russian underground forum exploit.in. The seller, "BuggiCorp," claims the zero-day flaw works against all versions of Windows from Windows 2000 to the current Windows 10 OS.
Zero-day vulnerabilities are a nightmare for vendor security teams. These exploits are unknown to software developers and until they are discovered in the wild, cyberattackers can compromise systems without detection. As a result, zero-day flaws often reach high prices.
Security expert Brian Krebs called the exploit "convincing." However, the alleged security flaw is classed as a local privilege escalation (LPE) bug, which is less severe than other types of vulnerabilities -- such as a remote code execution flaw which would permit attackers to compromise systems remotely.
An LPE bug is often used in tandem with another vulnerability to run malicious code on a victim's PC, which can result in heightened severity for other exploits. For example, if a victim is logged on as an admin user, an LPE bug can be used to chain a remote exploit to the system if it requires admin access to work.
The exploit was originally on sale for $95,000, but the price has now dropped to $90,000 in Bitcoin.
Researchers from Trustwave note the seller claims the vulnerability is for win32k.sys and exists through the way Windows handles objects "with certain properties." The seller says:
"The vulnerability is of "write-what-where" type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit.
The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn't get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs]."
The exploit is being offered in two variations; a simple privilege escalation process or with the additional ability to execute code. The buyer will apparently receive the source code, a demo, instructions, consultancy and free updates to "address any Windows version that the exploit might not work on."
BuggiCorp provided two proof-of-concept (PoC) videos which appear to show the exploit working, despite the use of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which is designed to block both known and unknown exploits from operating. One video, shown below, was recorded on Patch Tuesday and the latest updates were installed.
"It's interesting that this exploit's seller could potentially make more money by peddling his find to Microsoft than to the cybercriminal community. Of course, the videos and the whole thing could be a sham, but that's probably unlikely in this case.
For one thing, a scammer seeking to scam other thieves would not insist on using the cybercrime forum's escrow service to consummate the transaction, as this vendor has."
Microsoft cybersecurity strategist Jeff Jones told Krebs the company is aware of the forum, but the zero-day exploit's legitimacy has not been verified.
A Microsoft spokesperson told ZDNet:
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule."