Discussion in 'other security issues & news' started by Hungry Man, Jan 18, 2012.
Curious that VUPEN is releasing info on an exploit instead of selling it to governments like the Chrome exploit, but then I realized: "It was patched last week by Microsoft as part of the MS12-004 security bulletin."
Now it all makes sense! Good read though, bet Rmus will enjoy this one!
There may be a slight bit of FUD factor here since most should have MS12-004 installed via WU | WSUS.
Typically the 'responsible' exploit research firms will make the exploits available to those who can afford the $100,000 - $250,000 (some fees may be higher) licence fees and the exploit PoC remains available until it reaches EOL (End of Life) at which point they will report the vulnerability. It is probably a little more complicated than that... and external circumstances could have an influence on the availability.
There is so much more to say... civilian organizations/corporations simply cannot afford to pay security research firms. And the research firms may actually lose profit by reporting the vulnerability.
Its a simple economic issue:
Option A. Sell the exploit PoC to governmentX, governmentY, agency1 and agency2 that all pay $250,000 licence fees.
Option B. Inform the software manufacturer of the vulnerability and recieve $1337 dollars.
Most software vendors do not pay anything at all which makes it an obvious choice.
To make matters worse, there are different rules governing the reporting of vulnerabilities for 'open source' software. But that subject is beyond the scope of this simple comment.
20,000 not 1337 =P but yes you're correct. Google can pay a lot more than that and they know that.