MS Investigating Vista Zero-Day Exploit Sale
Microsoft's security response team is trying to verify the accuracy of reports that underground hackers are selling zero-day exploits for Windows Vista. |
The company said it is aware of claims by anti-virus vendor Trend Micro that Vista exploits are being peddled in underground security forums in the price range of $50,000, but a spokesperson stressed that Microsoft was not contacted directly by any parties about the vulnerability report.
["We are not] directly involved in the forums in which vulnerabilities are reportedly traded," the spokesperson said in an e-mail statement. "Microsoft is currently investigating the accuracy of these claims and will provide additional guidance to customers if warranted."
I have seen Vista zero-day exploit sale offers circulating on security mailing lists as early as May 2006, but unless someone actually makes a purchase and conducts testing, it is near impossible to verify whether the exploit is real and reliable.
Still, after being burned by the WMF (Windows Metafile) exploit, which was being hawked by Russian gangs several weeks before the attack, Microsoft cannot simply ignore the Trend Micro warning as fear-mongering.
The underground exploit Web sites are well-known in security circles and it would be a shame if Redmond isn't tracking these forums closely. Perhaps it's time for Microsoft to set up a special unit within the MSRC to infiltrate the seedier side of the Internet for the express purpose of finding -- and fixing -- these flaws before it's too late.
Over on Microsoft Watch, Joe Wilcox has some useful suggestions on how Microsoft can fight back by aggressively treating black hats as competitors.
