Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at USD 50000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit – which has not been independently verified – was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.
It is just common courtesy to wait for an MS OS to be released to the general public before releasing exploits for it.
This is just wrong.
I will laugh when,in a week after they paid all that money for it,it is patched…lol,I laughing already.
This is obviously a lie perpetrated by cultists and fanboys!
“This is obviously a lie perpetrated by cultists and fanboys!”
Would you mind explaining why?
I think tmack was being sarcastic…
Would you mind explaining why?
Look up member NotParker and you’ll understand…
At first i actually saw him as NP on a second account.
I wonder how high of a markup would there be if Microsoft wanted to buy these exploits.
Edited 2006-12-17 01:29
If an exploit for Vista turns up even before it is available to the general public, why is it still called a zero-day?
Surely this one is in a class of its own, a “problem waiting for victims to install Vista or buy a new Vista computer”, or perhaps “see if we can sabotage Microsoft’s ‘Vista is more secure’ marketing campaign”?
Without doubt, it is your first choice. People who write malware are not there to destroy Microsoft, they are they to take advantage and make money of the gullible.
If Microsoft were to completely lock the system down, and somehow release an unhackable system, these people would find some other way to fleece the public.
Until then, they will use the easiest method.
//Without doubt, it is your first choice. People who write malware are not there to destroy Microsoft, they are they to take advantage and make money of the gullible. //
Agreed, and that ties in well with the idea often put forward that there are many viruses for Windows because it is the OS that everyone runs.
… that isn’t the case for Vista …
It is also often claimed that there would be as many exploits for OSX or Linux if as many people were running it, but here we have an exploit for an OS that almost no-one runs (Vista).
“It is also often claimed that there would be as many exploits for OSX or Linux if as many people were running it, but here we have an exploit for an OS that almost no-one runs (Vista).”
Even evil crackers have to be prepared, because someday in the not so distance future, most people will run Vista, as they will get it on a new PC
If an exploit for Vista turns up even before it is available to the general public, why is it still called a zero-day?
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci955554…
Zero day exploit hasn’t got anything to do with release date. And even if it would, there would be plenty of people already running latest beta, enterprise or so versions.
In short: “A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.” Meaning at least one exploit exists on the same day vulnerability is published.
Edited 2006-12-17 12:16
//In short: “A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.” Meaning at least one exploit exists on the same day vulnerability is published. //
I think you missed the point. This isn’t a zero day exploit because Vista isn’t even released to the general public yet, so how can this exploit “take advantage of a security vulnerability” in an OS that no-one is yet running?
The general assumption is that Windows is heavily attacked by malware because it is the OS on most desktops, and so present the biggest pool of machines as potential targets for the malware.
That isn’t the case for Vista …
So it begs the question, why write this exploit?
Perhaps to get kudos amongst blackhats for the first zero-day for Vista, or something? Is it like a contest or something?
I think you missed the point. This isn’t a zero day exploit because Vista isn’t even released to the general public yet, so how can this exploit “take advantage of a security vulnerability” in an OS that no-one is yet running?
A 0day isn’t an exploit that’s launchecd on day 0 and the clock starts ticking.The malware writers most likely have a MSDN subscription and what not other development stuff.It’s pretty much feasonable a particular exploit stays underground for a couple of years before discovered by a security expert who decides to public.Once the company who makes the vulnerable program has been notified and a patch is released, the public has been notified the 0day becomes {1,2,3..}day.Some claim every major piece of software has 0day exploits routers,switches,OS’s,browsers included.
Edited 2006-12-17 13:37
I think you missed the point.
No:) But I think you misread my post. I perfectly know what zero day exploit is.
My comment was informing parent two things:
– What is zero day, because he was the one who thought wrong
– why would it matter even if his viewpoint of zero day would be correct.
update: since you were posting the parent post (misssed that, I’m sorry), you don’t know what zero day is. Read link I posted or write “zero day exploit” in google.
In conclusion, zero day exploit can be active for several years sometimes. It will stay zero day until it is known in the world (after that counting starts). By that time Vista would be long time launched.
Edited 2006-12-17 14:26
“I think you missed the point. This isn’t a zero day exploit because Vista isn’t even released to the general public yet, so how can this exploit ‘take advantage of a security vulnerability’ in an OS that no-one is yet running?”
It’s been released to businesses. Does that count?
“It’s been released to businesses. Does that count?”
Yes. Although I’m getting a little tired of this release date mismatch. It seems to bend depending on whether you agree Vista was ready in 2006 or 2007, and how you defend or attack Microsoft.
As long as the exploit is not effective remotely, it will not be too bad. Another instance of Sasser, Blaster, or anything else like that would be disasterous for Vista. Trojans aren’t so bad and I’d be hard-pressed to even call them exploits because they attack the user, not the OS’s security model.
The fact that Vista has security flaws is not really the point of this article (I mean let’s be honest, this is software, of course it will have some flaws.)
The point is how much money the information about these flaws can make in the black market. I thought that was pretty crazy. Plus regardless of what piece of software or OS is being targeted, it is just plain evil to be selling it like that.
Plus reading about all the stolen financial info for sale was pretty infuriating.
Im not saying the article is not true but I wonder how close the relationship is between some of the AV devs and the Vx community? Strikes me that finding exploits in Windows flaws and writing the odd clever virus would make a lucrative hobby for a AV dev and protect their business model.
Strikes me that finding exploits in Windows flaws and writing the odd clever virus would make a lucrative hobby for a AV dev and protect their business model.
Both groups share the same interests in technology.The “good” guys once where hackers themselves but decided to go to the other side of the fence.To be competitive you will need to keep in touch with the underground.
Besides who honestly things the malware writers will wait investigating Vista till it’s released?My bet is they are in the game from the earling beta tests.
AVs and VXrs respect each other, they both see their work as art and the best virus writers like finding new ingenious methods to spread, not damage. Nuisence viruses that make themselves known, and their writers, are looked down upon by the VXrs.
There is no respect for Spyware writers, they are the lowest of the low of sploiters.
I can’t even buy a book on ebay without getting screwed, yet you think some thief in tokyo is going to to deliver some online order? $10,000 of anything leaves a paper trail a mile wide. Just who arbitrates in this fantasy?
Soon there’ll be a FSF “BadExploit” campaign against these hackers – “Vista exploits should be open source, not some expensive proprietory software that restrict your freedoms!”….
Hahah I don’t know if that was an attempt at astroturfing or sarcasm, but either way it was funny!
The article talks about people not being able to run SQL Server on Vista and having to find something else to run?
Why not just stay on XP/W2K3?
Given 2K3’s practically perfect track record, Vista has little to show for itself at this early stage.
Vista has a new network stack that is largely untested – I don’t mean tested in Microsoft’s lab. Network stacks are are one of the most complex areas of any OS and they take years of debugging before really being stable.
Vista was getting tossed around like a rag doll at Defcon-14. Laugh if you like, just wait…
Edited 2006-12-17 13:44
This is an completly absurd. Bill Gates was playing poker instead listen his teachers in S.O lessons at college (lol). I can’t find another excuse to this kind of amateur mistake. That was not the first time and probably wont be the last that Microsoft softwares become critically vunerable before his official release.
The most sad part is Microsoft customers are well accustomed with this situation and have ready pockets to spend more money in new update packages. I saw one guy in this thread saying “at least isnt a worm like Blaster…”. This shows how reliable and secure MS products are and what we can wait for Windows Vista.(The same sh*t of anothers)
So sad but its true…
“The most sad part is Microsoft customers are well accustomed with this situation and have ready pockets to spend more money in new update packages.”
You get updates and SPs for free, so I am not sure how your statement is correct
That is what you think, or you believe MS give this for free? Remember dude, we are talking about Microsoft they care for money not for the safety of your information. I could speak for hours about they sort of ‘contracts’ wich doesn’t cover a lot of software upgrades. I can say that because in my job they have a licensed copy of Windows 2003 used as web application server (and of course, it break all the time ).
Are you really believe the cost of that ‘extra’ work isn’t included in the end price of the product? Common, if Windows doesn’t broke everytime probably it will have a much low cost.
Always take this as main lesson, no ones in MS works for free. NOTHING in MS is for free. They always looking/thinking for somehow to bring more money.
Concluding, they have a lot of ways to indirectly charge about the extra services.
Tim Holwerdi
Hi, My name is Tim Holwerdi.
I am gonna tell you my last dream…
I am an Aszzhole in search of Notoriety…
I work in a Website that offers news of IT and Open Source.
I pretend that I do it for the sake of love for IT, but the fact is that, I am expecting good revenues for the
future…
If not, why should I loose my time looking for IT news in other IT Web Sites that offer what I am not able to
offer… for the sake of these IT weirdos geeks and Open source-free computing fanboys…? c’mon…
I think I know more than the rest, of course… and I am always right!
Yes, I know more than anyone of you about Computers, and about anything else you can imagine! even If many people prove me the contrary, I am still right…
Me and my Mac go together everywhere, I even sleep with it, which is somehow problematic, cause as you can imagine, is not easy to have sexual relations tru an USB port, or a FireWire one… but I am in love anyway!…
Anything that is not Mac or commercial, is just wacko rubbish!
And, of course, is not going to offer me anything, because all these Open Source weirdos have no future, and are not gonna advertise in my site, or pay me money… I dont even talk about the FSF retarded hippies!
At best the big companies that now move to Linux, and pretend to be Open Source, worth a little bit, and may be a source of revenues in the future if the have some sucess…
Cheers…
P.S. Apple Rocks… Linux sucks… (MS is very good also, cause they have plenty of money, and are the pattern of our great western Businnes Economic and social system…)