Windows zero-day vulnerability offered online for $90,000

Works on everything from Windows 2000 to Windows 10, claims the seller

A Windows zero-day vulnerability that, the seller claims, works against all versions of Windows from Windows 2000 to freshly patched Windows 10, is being offered for sale on a Russian cyber-crime forum for $90,000 (£62,500).

While it's unusual for zero-day exploits to be offered for sale on a more-or-less public forum, the seller's claims have been described as "convincing" by security experts.

The vulnerability has been described as a "local privilege escalation" bug that can be used "in tandem with another vulnerability to successfully deliver and run malicious code", according to security blogger Brian Krebs.

The seller goes by the name "BuggiCorp" and has produced two videos of an exploit making use of the vulnerability. The vulnerability went up for sale on 10 May - coincidentally the same day as Microsoft's Patch Tuesday. Indeed, one of the videos demonstrate the exploit being used with Microsoft's Enhanced Mitigation Experience Toolkit (EMET) running.

EMET is intended to block exploits against both known and unknown Windows vulnerabilities, as well as third-party applications running on Windows.

Krebs continues: "Local privilege escalation bugs can help amplify the impact of other exploits. One core tenet of security is limiting the rights or privileges of certain programs so that they run with the rights of a normal user - and not under the all-powerful administrator or "system" user accounts that can delete, modify or read any file on the computer.

"That way, if a security hole is found in one of these programs, that hole can't be exploited to worm into files and folders that belong only to the administrator of the system.

"This is where a privilege escalation bug can come in handy. An attacker may already have a reliable exploit that works remotely - but the trouble is his exploit only succeeds if the current user is running Windows as an administrator.

"No problem: chain that remote exploit with a local privilege escalation bug that can bump up the target's account privileges to that of an admin, and your remote exploit can work its magic without hindrance."

Cyber-crime forums typically use an escrow payments system to guarantee both anonymity and (more or less) honesty. But one buyer might be Microsoft, suggests Krebs, who notes that the company typically pays out more than $90,000 for information about vulnerabilities of this kind.

Researchers at TrustWave's SpiderLabs also suggest that it's comparatively rare to see such zero-day flaws openly offered for sale.

"Zero days have long been sold in the shadows," claim the researchers. "In this business you usually need to 'know people who know people' in order to buy or sell this kind of commodity. This type of business transaction is conducted in a private manner, meaning either direct contact between a potential buyer and the seller or possibly mediated by a middle man," they continued.

It's not known whether the vulnerability has yet found a buyer.