Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

There's a patch available

[Anonymous Coward]

Windows XP.

WinXP Security Configuration Guide

[flyingfsck]

Windows XP Professional Common Criteria Configuration Guide:
http://download.microsoft.com/download/5/3/b/53b53 a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteri a_configuration_guide.zip [microsoft.com]

If you have the patience to follow that guide, then your WinXP will be locked down and secure.

Re:

[alphax45]

where are you going on the net with your XP machine? It should not get attacked THAT much, especially if fully patched with a good A/V. I run spybot and ad-aware once a month, they never find anything but tracking cookies. Now on my dads machine I run it when ever I am home and it will find lots more, but he just clicks yes to almost everything.

Re:

[Sj0]

I'd go so far as to say you don't even need the cheap router, since the XP firewall seems to do a good job of closing the most dangerous ports. I've been running for quite a while without a router, and I've found that as long as you cover your ass with respect to the big things, the little things don't tend to hit.

Re:

[GreggBz]

If you're following the same steps (you know, Windows Update, alternate browser and Avast! or similar) with your 2000 machines as you are with your XP machines, I find it highly unlikely that one gets "zombied" while the other does not.

Windows 2000 may have it's advantages but I don't think security is one of them.

I'm a big fat Unix geek, but in reality I've never had a virus with XP or 2000 in 6 years of on again off again usage. Honest.
I stay behind a firewall, use Avast or AVG, used Netscape and now Fire

Re:

[gordgekko]

I've never had a Win 2000 machine zombied but my XP machines are all the time.

Congratulations, you may be the most incompetent XP user ever witnessed on Slashdot.

Re:

[k_187]

wait, isn't incompetent XP user redundant? ZING!

Re:

[Ash Vince]

I have spent until 3am watching people fixing a win2000 server in our cabinet in a datacentre.

Since then they have lost it again but thankfully fixing it was quicker second time around.

On the other hand all our Raq550's and RaqXTR's run linux and have not given me any trouble in that regard yet. We also have a pair of win 2003 servers and they seem to do ok too.

The idea of putting win2000 or Winxp in a mission critical role strikes me as asking for trouble. I wouldn't go near vista in a server role for the

Re:

[djlowe]

>I've got an assortment of five XP and Vista machines (+ 1 LINUX) on my network at home and I've had any of them zombied!

And you're proudly proclaiming this on Slashdot? I admire your courage :)

Ah...

[JoshJ]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.
*salute*

Re:

[Anonymous Coward]

Next, he'll inform us that the dark side is stronger...

Re:

[Swimport]

I dont think its that obvious. There are a lot of people out there that pay for security software. Not to mention the large corporations that spend millions on it. Not even mentioning the tech support jobs created to combat spam and hackers.

Re:

[pilkul]

Indeed, I'd say the claim is obviously false.

Re:

[packeteer]

Think of this simple equation. If more was spent on anti-malware then the damage malware did, nobody woudl spend the money and they would just eat the cost. I realize thats an overly simple scenario but the idea still stands. Malware is used to rip off credit cards and checks which are VERY lucrative. The anti-malware is mostly run by corporations which have a profit margin but its not nearly the same as stealing.

Re:Ah...

[Swimport]

Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

Re:

[Anonymous Coward]

The malware industry doesn't exactly report their numbers,

http://www.microsoft.com/msft/earnings/ [microsoft.com]

keep offices,

Their headquarters is here [google.com]

or publish a trade rag.

http://www.microsoft.com/technet/technetmag/ [microsoft.com]

Re:

[ultranova]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.

What isn't quite so obvious is which side should be considered more malicious here: the malware industry, which looks for security holes to profit the Russian mafia and other zombie network controllers but may also end up compromising Vista's DRM - by, say, find an arbitrary code execution hole from Media Player - or the security industry which will inevitably end up defending the

Re:

[budgenator]

since comcast provides McAfee free of additional charges, I decided to load it up on the Wife's WinXP SP2 machine, and I found it actually painful to run on a machine with rudimentary security measures like limited user privileges; then after I thought about it, the only malware ever found in the machine was in the step son's temp internet files. If the malware is effectively contained in an temp file area and never get a chance to get installed, then things must be locked down, so I yanked McAafee and just

Auctions

[bucketoftruth]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

Re:Auctions

[ZPWeeks]

No, it IS the Pentagon's system!

Re:

[triso]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

It goes without saying that it probably isn't from Redmond.

closed systems

[drDugan]

this seems a natural result of closed-source software companies

I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).

Re:closed systems

[badriram]

please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

Re:

[camcorder]

Would it be better for spammer to compromise limited time open desktop computer with small bandwidth or some high-end server which is available full time w/ generous bandwidth? If latter is more feasible for spammers or ddos attacker, linux servers has more usage than windows servers. so your assumption is totally wrong.

Re:closed systems

[indigoid]

No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

Re:closed systems

[badriram]

Ill bite.

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
2. Servers be linux or windows, typically have people that are more computer literate, hence are alrady better protected, monitored, and locked away.
3. millions of unmonitored desktops, with careless users, with broadband connections will always be a better target.

Re:

[jpardey]

I highly doubt that first one. Have you seen that ad on slashdot where microsoft mentions linux explicitly? You never mention your competition unless you are losing. It might be easier to locate and clean up large servers spamming, but they could still be useful for hosting phishing sites or holding porn or distributing spyware. It's also funny that you should say that server operators are more computer literate, because I don't see many FTP home server users giving away account passwords, which was done by

Re:

[jpardey]

Never mention them BY NAME. In fact, even if you are losing, it is best to avoid it. Your competition should be irrelevant, only used/eaten/bought by the foolhardy. I believe Pepsi ads were far more likely to mention Coke, than Coke ads were to mention Pepsi.

Vista

[Dobeln]

It will be shipping on pretty much all new computers headed for clueless users over the next year - it is certain that it will rapidly overtake LINUX in both regular and (more importantly) clueless user market share. :P

Vista Market Share? Re: closed systems

[twitter]

If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices.

So why is anyone buying Vista exploits? To answer that question you have to admit either that M$ does not fix problems for months and years or that the "popularity" argument is bogus. People traffic Windoze exploits because they work today and keep working tomorrow. Non free is a broken development model.

Re:

[rtb61]

Nahh. Linux is about freedom, Linux users feel free to post, troll, comment, reccommend and flame as you see fit or unfit as appropriate to your mood, enjoy and be happy (it's cool to be an individual ;-) ).

For all the paid to post marketdroid lusers, obey, conform and bow to your M$ masters (sucks to be you :-( ).

Don't let the marketdroids fool you, forums are all about expressing yourself creatively, so if something like M$=B$ makes sence and is understood, use it, the same as windoze and windrones an

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[grcumb]

If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices.

But that will never happen, where BSD and Linux are concerned. In fact, it's designed not to happen. The fact of the matter is that people in the FOSS world recognise that monoculture is a dangerous thing, and actually built the entire system to contain as few monolithic elements as possible.

See, the Toolkit Approach doesn't just make the systems integration task easier, it'

As example

[DrYak]

2. Heterogeneity.

As an actual example to your arguments, one may cite the discussion that was featured a few days ago about Red Hat wanting to clean and improve their RPM system.

There was quite a few users complaining about alleged dependency hell that they linked to the RPM format it self, when in fact those problems are due to the fact that several different distribution use the RPM format and one size won't fit all. A single RPM package will only work with a small subset of distribution flavors, featuri

Re:

[flyingfsck]

Linux servers can also get infected with bots - 'redone' for example. I have cleaned a few. Access is usually obtained via a combination of SSH, Apache and idiotic short passwords. BTW, Google alone probably run more Linux servers than there are MS servers in the whole world.

Re:

[JaredOfEuropa]

You mean, with open source systems people can have the zero day exploits for free? Yay...

But jokes aside, you can bet that once housewives and average Joes start running Linux, it will be worthwhile to develop such exploits, and you will start seeing them.

Re:

[hullabalucination]

I tried pretty much the same thing (both with a tar'd shell script and an RPM package) under KDE 3.5.x (I forget which exact version, it's been a few weeks ago and I've upgraded to FC6 now) on Fedora Core 5, emailed to myself via Thunderbird. It appears that Thunderbird strips the executable flag coming back in, so I have to upgrade my privileges to be able to execute a shell script, even when sending and receiving under the same user account.

* * * * * *

I am still learning.
--Michelangelo

I misspoke...

[hullabalucination]

It will allow me to save the archive to disk, then extract the shell script and run it without altering permissions. What Thunderbird won't allow me to do is execute the embedded shell script directly; it will pass it off to the default archive manager but my manager will only allow me save the script or look at it in my default text editor. I could certainly configure the manager to run the script but that's not the default behavior out of the box.

This, however, is a far cry from the last few Windows mal

Price increasing

[Threni]

So it's getting harder? Or is that just wishful thinking?

Re:

[Anonymous Coward]

So it's getting harder? Or is that just wishful thinking?

Not just harder, but longer and thicker, according to the zombie e-mail I receive.

Re:Price increasing - Publicity stunt

[louarnkoz]

This looks very much like a publicity stunt, not "sane malware economics". Suppose that you actually know of a bug in Vista and of the corresponding exploit. Do you think that "just now" is the right time to go to market?

Think again. Vista has not yet been put on the market. Right now, it is available to bulk purchases by enterprises, but there is no indication that these enterprises are engaging in massive upgrades. It is also available for download by MSDN subscribers. All in all, there are probably a m

Re:

[SEMW]

A publicity stunt by whom exactly? It would have to be someone who gains from FUD about Vista & Microsoft, which rather limits the field. It's hardly Apple's style, and I can't exactly imagine it's a group of philanthropic open source advocates who are trying to get everyone to switch to Linux.

Re:

[Macthorpe]

The answer was in the article.

According to [Trend Micro CTO Raimund] Genes

Anti-virus software makers, concerned at the visage that MS has put up of a more secure Vista, trying to ensure sales of anti-virus products on new boxes.

Simple as that.

Re:

[baadger]

Not to mention malware development time. If you're spending $50,000 for the tip off, you don't want to mess up the implementation.

l33t hax0r

[pchan-]

the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.

Re:l33t hax0r

[AltGrendel]

Finding the bug is one thing. Being able to write a program that will successfully exploit it on a consistent basis is another.

Re:

[bluefoxlucid]

Exploiting is easier for me than finding. There are a million people smarter than me who ensured that the bug you found doesn't exist; that you found it indicates something special. Now, any jackass can take advantage of the same damn thing the last 5000 bugs made possible...

Please define "zero-day"

[Schraegstrichpunkt]

Could the Slashdot editors please define the term "zero-day exploit"? I was under the---apparently mistaken---impression that it meant an exploit that was released on or before the day that a given piece of software was released.

Re:Please define "zero-day"

[Omnifarious]

No, it's an exploit released before there's a patch that fixes the hole the exploit exploits.

zero-day warez are cracked (i.e. DRM removed) versions of programs available on the same day or before the commercial versions are released.

Re:

[Schraegstrichpunkt]

So then how is it different from an exploit for an "unpatched" vulnerability?

Methinks it's a recently-made-up scare word.

Re:Please define "zero-day"

[Anonymous Coward]

The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

Now that the vulnerability is known, it is just an unpatched vulnerability.

"Hacker"

[gerf]

I always thought Hacker meant a guy who spat a lot.

Re:

[Vo0k]

Zero-day warez - yep, you're right.
Zero-day exploits - exploit to unpatched vulnerablity.

DDR RAM isn't a dance training device either.

Re:

[wframe9109]

"Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop" = "Undeground hackers are hawking an exploit for Windows Vista at $50,000 a pop on the day the exploit is released." The value of the exploit diminishes with age, no?

Re:

[bigtomrodney]

No a Zero-Day exploit is one which is capable of exploiting on or before the vulnerability is discovered/made public. So the author was possibly the only one with knowledge of the vulnerability. Wiki Article [wikipedia.org] Of course the usual amount of misunderstanding of the terminology has diluted the meaning somewhat.

What do Linux virii cost?

[k1e0x]

Or are they open source..? ;)

Open source does not equal free beer

[nietsch]

It is perfectly within the terms of the GPL to sell open source software. It is just easier to give it away for free and charge for services/work you do for paying customers.

Economy

[rowama]

This is just another example of how M$ is good for the economy. All you anti-capitalist, libertarian nerds can sit down and shup up, now.

Kidding, of course.

Re:Economy

[EnsilZah]

I was under the impression that libertarians were the embodiment of capitalism.

Re:

[glas_gow]

I was under the impression that libertarians were the embodiment of capitalism.

That's neo-liberalism you're confusing with old fashioned liberalism. With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems. With old fashioned liberalism the freedom of one person is balanced against the freedom of another, the consequence of which is a system of legislation to protect those freedoms.

Social and economic liberalism

[Colin Smith]

With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems.

You're mistaking social liberalism with economic liberalism. Liberals, liberalism are/is about both. I'd go as far as arguing that you can't in reality have one without the other, which is why our freedoms are being squashed the world over. Neither the Democrats, nor the Republicans, the Tories or New Labour are Liberal.

Liberalism in America has come to mean socially liberal and economically restrictive. It's an incorrect definition of the word liberalism, and as such you've had to invent a new word to mea

Re:

[Overly Critical Guy]

You need to read his words more closely. He said libertarians, not liberals. Libertarians are all about personal and economic freedoms because they believe the free market regulates itself, as in nature.

Re:

[westlake]

I was under the impression that libertarians were the embodiment of capitalism.

a capitalist system demands respect for tangible and intangible property.

almost everything is ultimately reduced to pieces of papers. mere tokens. an entry in a ledger. a bill of lading.

abstraction demands literacy. competence in math.

a capitalist system demands a mechanism for the enforcement of contracts.

a capitalist system needs reliable weights and measures.

standard time. stable currencies. defenses against highwaymen,

Re:

[John Hasler]

You confound "libertarian" and "anarchist".

Re:

[Colin Smith]

European libertanians? Surely you mean European liberals. The word libertanian isn't even in the Oxford English Dictionary. The word is an American invention to get round the redefinition of liberal. As a European Liberal, I have some sympathy with American Libertanians.

 

None of the things you mention require government

[Colin Smith]

Capitalism doesn't require a government. It may be more efficient with one, but a single overriding authority isn't required.

 

Nope

[misanthrope101]

No, you're thinking of Pamela Anderson.

Well, Duh!

[jc42]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.

Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Re:

[Brandybuck]

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Thank you Sherlock for telling us that companies exist to make profit. Next thing you know you'll be telling us that people work for companies to get a salary.

Here's a big cluestick to knock that tinfoil off your head: there is a world of difference between the goal of generating profit legally and ethically, and the goal of generating profit by any means whatsover.

Duh.

Oh come on now...

[jorghis]

You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

Re:

[DavidD_CA]

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

And either of those actions surprise you, how?

Re:Oh come on now...

[CODiNE]

People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.

True. We don't know it's real.

[Beryllium Sphere(tm)]

If this is anything like the auction markets for credit card numbers, they'll have some kind of reputation tracking.

Yeah, right

[LaughingCoder]

... according to computer security researchers at Trend Micro ...

... like Trend Micro doesn't have anything to gain by people thinking there are Vista exploits. Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP. And I loved the use of the cloak-and-dagger word "infiltrated" to strike further fear into people. This seems to me little more than a sad attempt to remain relevant by an anti-virus vendor.

Re:

[bobcat7677]

Nah, they aren't really scared of being uselss. It's just a marketing battle. Microsoft started it by creating an OS that makes the user "feel" more secure and then making all sorts of forward looking statements about how it's "the most secure OS ever". (my analysis of Vista so far has yielded little in the way of concrete security improvments, but lots of little gadget things that appear to be intended only to make the average user "feel secure".) Given the impressive bloat, mid-stream changes, and ove

Re:

[LaughingCoder]

... my analysis of Vista so far has yielded little in the way of concrete security improvments ...

You must not have looked very hard. Actually there have been substantive changes as regards security, not the least of which is that the user is *not*, by default, running with administrator privileges. This is the #1 reason *nix types criticize Windows as insecure and it has been fixed. Now, I'm sure with all the bloat and "rushed" schedules, problems will creep in, but the very fact that the average home use

Re:

[Watson Ladd]

Well, they didn't do the security right. The same old holes in RPC and badly-made default permissions still exist. Windows will never be secure. Microsoft would have to spend huge amounts of money on it and it wouldn't sell very well.

Re:

[LaughingCoder]

Windows will never be secure. Microsoft would have to spend huge amounts of money on it and it wouldn't sell very well.

On this we can agree, though I would probably say "Microsoft will never be as secure as a server-based OS". As you know there are degrees of security, so making a blanket statement without qualifying what you mean by secure is fairly meaningless. Anyhow, a desktop that is as locked down as a hardened server would be extremely annoying to use, even for technically saavy users. For the typic

Re:

[bobcat7677]

Yes, the default user thing is pretty important. But that is sticking your finger in the leaking dam. I don't count the firewall improvements for much, a "personal software firewall" of any flavor should not be relied upon IMHO. Having a firewall on the same hardware you are trying to protect doesn't make much sense except as a last line of defence. You can't be touching the fire and not get burned as they say. IE7 is not a vista improvement as you mentioned. "Network Access Protection" is a big hack

Re:

[drsmithy]

You must not have looked very hard. Actually there have been substantive changes as regards security, not the least of which is that the user is *not*, by default, running with administrator privileges. This is the #1 reason *nix types criticize Windows as insecure and it has been fixed. Now, I'm sure with all the bloat and "rushed" schedules, problems will creep in, but the very fact that the average home user is no longer an admin should have a huge effect on overall security.

It won't.

Well, it probably

Hi, welcome to...

[thrill12]

0-day-bay, your place for new gadgetries in the world of ScRiPtKidDieS GoNE CoMmErCIal !
Today, we have on offer a few jolly nice samples of the finest goods, what do you think of:
* Evil worm 2 - Dr.Evil himself would promote this one, if he were a real person, but alas: this Evil worm 2 does not come with frickin' lasers on its head. Made in China, this worm can eat away the fumbly firewalls of most present day Windows machines !
All that, at a price of just $30.000 !

* Glasnost x-ploit - Oh my, in the Western world we make the x-ploit, but in Russia - where this lovely piece of software was born - they x-ploit you ! Just like in the old days of Gorbatchov, this Glasnost worm certainly opens ... backdoors ! ha ha !
For just the measle amount of $15.000, you could have your very own Glasnost'ed Windows botnet in no time !

Last but not least, we wouldn't want to forget our bestseller, our hitman, our top product in the fine world of Windows Redecorating Software : Yoghurt Trojan !
Not the milk-product, but you could say it's milky white cream covers most Windows PC's pretty well ! It has no aftertaste like some worms, and definitely likes to morph into different appearances ! It can definitely lighten the spirits of whoever is at the controls and includes a lovely "MAD"-button in case some law enforcement officer decides to peak into your operation : no more evidence, because no more Trojaned PC's survive the Mutually Assured Deletion of this king of kings !
All that, for just $50.000, it's a bargain !

Where's the Popularity Argument Now?

[twitter]

Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.

Most people are not experts

[Nicolay77]

If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now.

They would probably using a 2.2 kernel, a very old build of KDE, and so on.

The fact is: Smart users don't get infected, naive users do. Some smart users use Linux, some smart users use Windows. Most naive users use Windows.

Target the naive users and ignore the smart. No matter what OS the smart people use.

So? Re:Most people are not experts

[twitter]

If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now. They would probably using a 2.2 kernel, a very old build of KDE, and so on. The fact is: Smart users don't get infected, naive users do.

No, everyone who uses Windoze gets infected. It's not something you can do anything about because only M$ can "improve" the system. See here [slashdot.org] for well documented facts about the ongoing M$ security dissa

The odds are against you.

[twitter]

I run XP SP2, Kapersky, and run an antivirus/antispyware (Avast and Spybot) about once every month. I've never had a virus infection on this machine or my previous machine.

Like 75% of Windows users, you probably rate your machine as "moderately" to "very" secure. Yet more than 80% of windows computers are part of the botnet. What do you think you know that 90% of windows users don't? It's all well laid out here [slashdot.org] in stunning and referenced detail.

Re:

[jb.hl.com]

Yet more than 80% of windows computers are part of the botnet.

HAHAHAHAHAHAHAHAHAHAHAHA!

HAHAHAHAHAHAHAHA! HAAAAAAAAAAAAAAHAHAHAHAAHAHAAHAHAHA!!!

You make up statistics (80%?! please) and then babble on about "the botnet", this presumably being the same botnet that posts nasty things about you on Slashdot, sends spam emails, DDOSs websites and brought the Third Reich to power which you so lovingly reference all the time.

Really, I have no idea how you have any credibility. Oh wait, you don't. Sorry.

We Need Vista To Ship & Stay #1...

[BoRegardless]

So I can safely do all my work easier in Mac OSX 10.5 ;-?

How much damage from 'fake' security holes?

[HockeyPuck]

I wonder how much damage they could inflict on companies (consumers of Vista as well as MSFT) by making claims about having a zero day exploit? I bet using the right channels someone could get MSFT to spend quite a bit of resources auditing code.

Similar to how millions now have to take off our shoes in the airport b/c ONE guy tried to light his shoes on an airplane.

Legality

[RiotXIX]

Is this legal? It's like someone overhearing a conversation (or perhaps intentionally overhearing it) between two plotting murderers and auctioning it to news corps/potential victims for where it's going to take place. I find it obscene: by all means get some money for your efforts, but computers control serious things - consider a case where Microsoft (or similar) buys the information before the the press, in order to cover up an embarrasing situation. Someone uses it because Systemantic or whoever didn't

I'll Believe It When It's Confirmed

[ThinkFr33ly]

I had no doubt that there would be flaws found in Vista. No non-trivial software is bug free.

But Vista has a lot of features [wikipedia.org] that makes the inevitable bugs much, much harder to take advantage of.

The single most common attack vector in Windows is IE. Virtually all the malware installed on machines today was likely installed by a drive-by-download caused by one of the many, many holes in IE.

But users running Vista have Protected Mode [msdn.com], which effectively isolates IE and prevents it from doing damage. It's possi

Re:

[schon]

Vista has a lot of features that makes the inevitable bugs much, much harder to take advantage of.

Yes, and I'll bet that each one of those features has it's own bugs which can be exploited - which makes the entire computer easier to exploit, not harder.

It's possible that protected mode has a flaw, but judging by how it works I find that unlikely.

I see you've already considered the possibility that the features will have their own bugs. However, unlike you, I will decide to err on the side of historical evidence.

Historically, MS doesn't know how to write secure software, and takes several attempts to get it right. Why would these new features be any different?

Vista users aren't running as admin

You're claiming that the OS enfor

Re:

[ThinkFr33ly]

Point by point...

Yes, and I'll bet that each one of those features has it's own bugs which can be exploited - which makes the entire computer easier to exploit, not harder.

The features I was referring to are things like ASLR. Even a flawed implementation of ASLR will make the computer harder to exploit, not easier. To assume that any new feature will automatically result in a more vulnerable computer is a flawed assumption. It completely depends on the feature in question.

I see you've already considered the

Re:

[schon]

To assume that any new feature will automatically result in a more vulnerable computer is a flawed assumption.

Bullshit. You said it yourself:

No non-trivial software is bug free.

The more features (code) you add, the larger the bug count. It's a well-known axiom in security circles that every bug is a potential security vulnerability. Therefore, every feature you add makes your software more vulnerable. By definition.

Perhaps if you understood general computer security a little better, it might be helpful for you to understand my arguments. You seem to have done some reading on MS security, but there's a whole world outside of MS. There's a

Capitalism at it's Finest

[Larry_Dillon]

All of the big companies and the government talk about how much they like capitalism, but then complain about things like this. But when you think about it, it's capitalism working exactly as it's supposed to: The market is assigning a dollar value to exploits.

Microsoft has been very lax in the area of security, enabling a market to evolve around exploiting it's weaknesses. Microsoft got it's self into this position by maintaining a monopoly. Absent a monopoly, M$ would have had to compete on quality an

Hm

[mqduck]

$50,000?? That's alot of money to spend in the hope that you'll be given the code promised. I think there may be another possibility. Maybe the seller of this is hoping for just one customer: Microsoft. They don't want these things to be used, and what's $50,000 them anyway?

Re:Why doesn't Microsoft buy those out?

[mochan_s]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Why do?

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Re:

[_KiTA_]

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Not to mention, if you never fix the bugs, the customers just might be willing to pay for your next OS. ... at least for a while.

Re:

[gutnor]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

1. This could be due to the legal implication

I'm not sure law will look kindly at a company that fund illegal activities to improve their business. And if it comes from a security company, just having your name attached that kind of illegal activity could kill your credibility big time ( like 'they did that to fix the bug, yeah sure like petrol in irak is just a coincidence' whatever true or false that may be )

2. Buying would just drive the prices up, hence increase the prices and therefore maybe get the i

Re:

[jpardey]

I had only bid a deciban [wikipedia.org]. You win.

Re:

[I'm Don Giovanni]

We don't know that the exploits are legit.
Microsoft buying them would be giving in to blackmail.
And, these hackers clearly have zero scruples, so what's to prevent them from selling the exploits to others after Microsoft bought them?
Get real.