A zero-day exploit that allegedly affects Windows 2000 through Windows 10 is up for sale. The exploit has a price tag of $90,000 (in Bitcoin) on exploit.in, a Russian forum. According to the seller, named BuggiCorp, the exploit works perfectly against all aforementioned versions of the operating system.
Brian Krebs, a security expert, says the exploit is "convincing," but it appears to be a relatively low severity exploit since it's targeting a local privilege escalation bug. Hackers could still use the exploit (particularly in conjunction with another) to attack someone's system, but it's not nearly as concerning as a remote exploit.
It's being offered either by itself or with the ability to execute code. Whomever purchases it will receive the code, instructions, a demo, and free updates if it doesn't work against a particular version of Windows.
Microsoft has yet to verify the legitimacy of the exploit, but it is aware of the listing.
It's interesting that this exploit's seller could potentially make more money by peddling his find to Microsoft than to the cybercriminal community. Of course, the videos and the whole thing could be a sham, but that's probably unlikely in this case.
For one thing, a scammer seeking to scam other thieves would not insist on using the cybercrime forum's escrow service to consummate the transaction, as this vendor has. - Krebs
Here's a video of the exploit running: