A cyber crook is offering a Windows zero-day vulnerability for $90,000 that they claim works on all versions of Microsoft's OS from Windows 2000 to freshly patched Windows 10.
It's unusual for zero-day exploits to be offered for sale on a more or less public forum, but security experts have described the seller's claims as "convincing".
The vulnerability is a "local privilege escalation" bug that can be used "in tandem with another vulnerability to successfully deliver and run malicious code", according to security expert Brian Krebs.
The seller goes by the name 'BuggiCorp' and has produced two videos of an exploit making use of the vulnerability. The vulnerability went up for sale on 10 May, coincidentally the same day as Microsoft's Patch Tuesday.
Indeed, one of the videos demonstrates the exploit being used with Microsoft's Enhanced Mitigation Experience Toolkit (EMET) running.
EMET is intended to block exploits against known and unknown Windows vulnerabilities, as well as third-party applications running on Windows.
Krebs said: "Local privilege escalation bugs can help amplify the impact of other exploits. One core tenet of security is limiting the rights or privileges of certain programs so that they run with the rights of a normal user and not under the all-powerful administrator or 'system' user accounts that can delete, modify or read any file on the computer.
"That way, if a security hole is found in one of these programs that hole can't be exploited to worm into files and folders that belong only to the administrator of the system.
"This is where a privilege escalation bug can come in handy. An attacker may already have a reliable exploit that works remotely, but the trouble is his exploit only succeeds if the current user is running Windows as an administrator.
"No problem: chain that remote exploit with a local privilege escalation bug that can bump up the target's account privileges to that of an admin, and your remote exploit can work its magic without hindrance."
Cyber crime forums typically use an escrow payments system to guarantee anonymity and (more or less) honesty. But one buyer might be Microsoft, according to Krebs, who pointed out that the company typically pays out more than $90,000 for information about vulnerabilities of this kind.
Researchers at TrustWave's SpiderLabs said that it's comparatively rare to see such zero-day flaws openly offered for sale.
"Zero-days have long been sold in the shadows. In this business you usually need to 'know people who know people' to buy or sell this kind of commodity," the researchers said.
"This type of business transaction is conducted in a private manner, meaning either direct contact between a potential buyer and the seller or possibly mediated by a middleman."
It's not known whether the vulnerability has yet found a buyer.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere