The buyers aren't biting: Windows zero-day flaw price slashed
A zero-day vulnerability which allegedly compromises a range of Microsoft Windows systems has gone on sale as the seller continues to seek a buyer.
After going on sale in May, the exploit's price has been slashed twice -- and is now on the market for the bargain price of $85,000.
Earlier this month, reports emerged that an underground seller, BuggiCorp, was offering a rather rare zero-day vulnerability which apparently works against versions of Windows from Windows 2000 to the current Windows 10 operating system.
The exploit, for sale on the Russian forum exploit.in, was originally offered with a price tag of $95,000, which later dropped to $90,000, to be paid in the virtual currency Bitcoin.
In an update, Trustwave researchers note that the seller has once again lowered their price for the zero-day exploit to $85,000 in the quest to find a buyer.
"This means that the exploit hasn't sold yet and seller may be having problems finding a buyer," the team notes.
Zero-day vulnerabilities are rare offerings on such forums and can often fetch high prices as vendors, by the vulnerability's nature, have not discovered or patched the problem, potentially giving cyberattackers a wide pool of victims to target.
BuggiCorp's alleged vulnerability is a local privilege escalation (LPE) bug, which can be used alongside other vulnerabilities to make other bugs far more serious.
While not as dangerous as remote code execution flaws, LPE exploits are still an important element in linking other bugs together for purposes including system hijacking, data theft, and malware drops.
Security expert Brian Krebs has called the exploit "convincing," as the seller has provided two proof-of-concept (PoC) videos which appear to show the exploit working successfully against current Window machines which are fully patched and up-to-date.
It also appears that the zero-day is able to bypass protections offered by Microsoft's Enhanced Mitigation Experience Toolkit (EMET).
To further their cause, the seller is also willing to accept payment through an independent escrow service to give buyers the chance to test out the exploit before the funds are taken -- which also lends credibility to the exploit.
In May, Microsoft fixed a number of critical vulnerabilities affecting Internet explorer and Edge as part of Patch Tuesday. The Redmond giant has also changed the location of some security bulletins to the Microsoft Update Catalog when updates are not listed on Microsoft's Download Center.