Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Contributor: BlackCadejoZerodium offers of $ 500 000 for 0-day in secure messengers
#1
Company Zerodium, dealing with conditional legal trade exploits, has published an updated price list with prices for various vulnerabilities. Among other things, a very impressive bonus declared for zero-day vulnerabilities in secure messengers: 0-day vulnerability in the Telegram, WhatsApp, Signal, Facebook Messenger, iMessage and WeChat, related to remote code execution and local privilege escalation, estimated at $ 500,000.

Secure instant messenger for some time remain a central element in the discussion of special services and the states on the one hand and users who do not want to compromise the confidentiality of correspondence, on the other hand. This confrontation reached a peak last year, when the FBI insisted that Apple should bypass their own security mechanisms to help unlock the iPhone terrorist. Recall, Apple refused to help the Bureau, as a result of the FBI failed in breaking the smartphone on its own.

Zerodium buys zero-day vulnerabilities, and then provides its clients created on the basis of these vulnerabilities and exploits security solutions. The company does not share the vulnerabilities found with the developers of the software in which bugs are found - respectively, vulnerability and are not patched. Of course, the developer is not very pleasant. Company founder Chowk Bekrar (Chaouki Bekrar) always emphasizes the fact that Zerodium, as well as the previous company he founded, VUPEN, doing business exclusively democratic, not under the authority of a State.

Major changes in the published price list focused on mobile operating systems. In addition to the above awards for messengers, Zerodium offers up to $ 500 000 for remote code execution and local elevation of privilege in standard email applications for iOS and Android. Slightly more modest fee, up to $ 150,000, announced the vulnerability of the same type in the parts of the operating system responsible for processing media files and documents, as well as work with the cellular networks. Finally, up to $ 100,000 can pay for the escape from the sandbox, bypassing the digital code signatures, vulnerability in SS7 and some other bugs.

Bekrar told Threatpost, that client state Zerodium have a greater need for security vulnerabilities that would allow them to follow the criminals using secure instant messenger. "The high value of zero-day vulnerabilities in these applications due to the high demand of our customers. Also plays a role that such application attack surface is low - because of this the researchers is not easy to find and exploit vulnerabilities in instant messengers, "- Bekrar said.

We are asked to comment on the news creator Signal Moxie Marlenspayka (Moxie Marlinspike), as well as the company's Facebook and WhatsApp, but at the time of publication of the news we have not received an answer.

Zerodium also announced the award of $ 300,000 for the 0-day remote code execution on Windows, in particular exports, allowing to use the Windows standard services, such as SMB and RDP. Vulnerability, particularly in the Apache web servers for Linux and Microsoft IIS for the Windows, estimated at $ 150,000, and a vulnerability in Outlook - $ 100 000.

Also Zerodium doubled (or nearly doubled) award for attack on Chrome, PHP and OpenSSL. A remote code execution in the Tor-Browser for Linux or Windows has risen in price more than tripled from the previous $ 30 000 to $ 100 000.

About a year ago Zerodium tripled the reward for remote jailbreak iOS 10 - up to $ 1 500 000. About two years ago, the company has become well known after it announced a reward of $ 1 million for a similar vulnerability in iOS 9
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)