Security researchers have discovered a Windows zero-day vulnerability that is going for $90,000 on the underground cyber crime market. A post from a cyber criminal on an underground forum, claims to have this vulnerability which could affect almost all Windows users. If the claims are true, the local privilege escalation vulnerability exists in all versions of Microsoft Windows OS starting from Windows 2000, potentially impacting over 1.5 billion Windows users.
If exploited, the vulnerability allows attackers to upgrade any Windows user level account to an administrator account, giving them access to install malicious software, gain access to other machines, change user settings and an array of other potentially damaging acts.
Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic reacts: “Organisations today cannot rely on the vendor to secure them, they need to be in a position to detect threats before they are really know. If organisations are monitoring access to systems as well as deviations from the norm they will detect this even without having specific security tooling to protect against. The challenge is that many clients just don’t have the time and resource to watch for this escalation of privileges.”
Simon Crosby, CTO and o-founder at Bromium says: "The zero-day market remains strong – which means that researchers are confident that there are many more such vulnerabilities they can quickly monetise. Of course, today’s detect-to protect products such as “next-gen AV” will fail to detect attacks that leverage this or any other new techniques to breach the endpoint. The only way forward is for organisations to adopt a security posture that isolates all untrusted computation by default, making endpoints secure by design. For Bromium customer Valspar, this is vital to the way that they protect their users – and their intellectual property – when their users travel to offshore manufacturing facilities.”
Robert Simmons, Director of Research Innovation at ThreatConnect remarks: "Whether or not this vulnerability turns out to be real or a hoax, all vulnerabilities, 0-day or not, are a problem if systems are not kept up to date with patches. Staying up to date with software and operating system patches is one of the top ways to protect yourself from threats, along with running at least privilege and application whitelisting. We all agree that 0-days are hard to stop, but you can minimise the dwell time if you are proactively hunting for threats like these in your enterprise."
Stephen Gates, chief research analyst at NSFOCUS adds: "The global vulnerability/exploit market is ever growing and can be quite profitable. Researchers (and hackers the like), search for vulnerabilities in operating systems and applications. Once a vulnerability is found, those that discover it work tirelessly to determine if it can be exploited locally or remotely.
In this case, the Windows vulnerability appears to allow local privilege escalation. What this means is that an attacker can escalate their privilege from “user” to “administrator” on any Windows machine that they have local access to. Privilege escalation is a critical component to compromising and maintaining access to infected machines; allowing an Advanced Persistent Threat to exist.
If hackers find a way to bundle this with a Remote Code Execution (RCE) exploit, that changes the equation significantly. RCE exploits do not require local access to the machine and systems can be exploited from anywhere in the world.
The person that found the vulnerability is not breaking the law by selling the vulnerability and associated exploit online. Although their ethics are certainly in question. Ninety grand goes a long way and in this case, money wins over ethics. I would imagine that, if the vulnerability and exploit can be verified, Microsoft will likely buy it.
As a matter of fact, NSFOCUS researchers have been awarded a total of $200K for finding Windows vulnerabilities, then sharing them with Microsoft. Earlier this year, NSFOCUS Researchers were honoured with the Microsoft Mitigation Bypass Bounty Award for the third straight year in a row."