Build a zero-day exploit, but will they come?

Tech Culture

A malicious attacker has built a zero-day exploit for Microsoft's next generation operating system, Windows Vista, and is trying to sell the handiwork for a tidy sum of $50,000, according to Raimund Genes, chief technology officer for security firm Trend Micro.

But whether the attacker will get the five-figure price listed on the hush-hush hacker marketplace trading site has yet to be seen, said Genes, who noted he did not test the exploit code and could not vouch whether it works.

The asking price for the zero-day Vista exploit, which was first noted in eWeek, has some security analysts questioning the likelihood a fellow attacker would pay such a price.

"In reality, exploits don't stay secret long enough to command that high a price," said Alfred Huger, senior director of engineering for Symantec Security Response. "The prices I've seen are in the several thousand dollar range."

Dave Marcus, security research and communications manager for McAfee, also had doubts about the viability of the attacker obtaining such a high asking price.

"A lot of businesses are not prepared for Vista because of the hardware that's needed. So, businesses may be slow to upgrade," Marcus said. "If you buy a zero-day exploit, you want it to work on a widely deployed piece of software."

The two analysts note most malicious attackers will barter and trade their exploits amongst each other, rather than pay for it in cold cash.

Genes, however, said Vista is widely deployed among Windows users, given Microsoft held such a large beta test for the operating system.

As they say, if you build it, will they come?

Close
Drag
Autoplay: ON Autoplay: OFF