Vulnerability Management

Windows zero day devalued as supply and demand takes hold, experts speculate

The price of a Local Privilege Escalation (LPE) zero-day exploit for Windows has come down. The exploit,  which could possibly affect 1.5 billion computers worldwide has been reduced 5.3 percent for the second time since going public on 11 May 2016. It was initially offered for £65,444 ($95,000), but the seller reduced the price to £58,556 ($85,000) on 6 June that means the exploit hasn't  sold yet and seller may be having problems finding a buyer according to Trustwave.   

The zero-day in question is an LPE vulnerability in Windows which affects all of Windows OS' from 2000 to the latest patched version of Windows 10. LPEs are the second popular zero-day exploits after Remote Code Executions (RCE). This flaw amplifies the impact of other exploits and is always used with another bug to deliver and run the malicious code successfully.

The first price drop happened 12 days after it was initially posted on a Russian-speaking underground market. The price was lowered almost 5.3 percent from £65,444 ($95,000) to £62,000 ($90,000). Once again, sellers reduced the price another £3,444 ($5000) two weeks after.

“Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign,” wrote  a SpiderLabs researcher in a blog post.

Logan Brown, president of Exodus Intelligence, commented on the sale of this zero-day in a blogpost by Threatpost: “There are a number of things that could account for a delay in the sale of this zero day”.

“It's similar to selling a house when you're talking about prices in that neighborhood,” said Brown, elaborating on price drops,  “I would assume that's a sign of supply and demand, not that the zero-day isn't valuable. LPEs are a common target and there is a lot of demand for them. It's just that many of the people who want one probably already have one”.

In the aforementioned blogpost the SpiderLabs research commented that “there's no way to know this with absolute certainty without taking the risk of purchasing the exploit or waiting for it to appear in the wild.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.